- update to 1.8
- temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete - profile.d scriptlets are now only needed by -workstation-clients - adjust paths in init scripts - drop upstreamed fix for KDC denial of service (CVE-2010-0283) - drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM
This commit is contained in:
parent
9c84ef7b56
commit
75b08040ff
@ -31,3 +31,8 @@ krb5-1.7-pdf.tar.gz
|
||||
krb5-1.7.1.tar.gz
|
||||
krb5-1.7.1.tar.gz.asc
|
||||
krb5-1.7.1-pdf.tar.gz
|
||||
krb5-1.8.tar.gz
|
||||
krb5-1.8.tar.gz.asc
|
||||
krb5-appl-1.0.tar.gz
|
||||
krb5-appl-1.0.tar.gz.asc
|
||||
krb5-1.8-pdf.tar.gz
|
||||
|
@ -1,42 +0,0 @@
|
||||
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
|
||||
index 52fbda5..680e6a1 100644
|
||||
--- a/src/kdc/do_as_req.c
|
||||
+++ b/src/kdc/do_as_req.c
|
||||
@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
|
||||
session_key.contents = 0;
|
||||
enc_tkt_reply.authorization_data = NULL;
|
||||
|
||||
+ if (request->msg_type != KRB5_AS_REQ) {
|
||||
+ status = "msg_type mismatch";
|
||||
+ errcode = KRB5_BADMSGTYPE;
|
||||
+ goto errout;
|
||||
+ }
|
||||
errcode = kdc_make_rstate(&state);
|
||||
if (errcode != 0) {
|
||||
status = "constructing state";
|
||||
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
|
||||
index 12180ff..c8cf692 100644
|
||||
--- a/src/kdc/do_tgs_req.c
|
||||
+++ b/src/kdc/do_tgs_req.c
|
||||
@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
|
||||
retval = decode_krb5_tgs_req(pkt, &request);
|
||||
if (retval)
|
||||
return retval;
|
||||
+ if (request->msg_type != KRB5_TGS_REQ)
|
||||
+ return KRB5_BADMSGTYPE;
|
||||
|
||||
/*
|
||||
* setup_server_realm() sets up the global realm-specific data pointer.
|
||||
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
|
||||
index d88e0cb..2639047 100644
|
||||
--- a/src/kdc/fast_util.c
|
||||
+++ b/src/kdc/fast_util.c
|
||||
@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
|
||||
krb5_data *encoded_e_data = NULL;
|
||||
|
||||
memset(outer_pa, 0, sizeof(outer_pa));
|
||||
- if (!state->armor_key)
|
||||
+ if (!state || !state->armor_key)
|
||||
return 0;
|
||||
fx_error = *err;
|
||||
fx_error.e_data.data = NULL;
|
@ -33,7 +33,7 @@
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
prog="Kerberos 5 Admin Server"
|
||||
kadmind=/usr/kerberos/sbin/kadmind
|
||||
kadmind=/usr/sbin/kadmind
|
||||
|
||||
RETVAL=0
|
||||
|
||||
|
@ -29,7 +29,7 @@
|
||||
|
||||
RETVAL=0
|
||||
prog="Kerberos 5 Propagation Server"
|
||||
kpropd=/usr/kerberos/sbin/kpropd
|
||||
kpropd=/usr/sbin/kpropd
|
||||
|
||||
# Shell functions to cut down on useless shell instances.
|
||||
start() {
|
||||
|
@ -1,45 +0,0 @@
|
||||
The idea is to not complain about problems in the default ticket file if we
|
||||
couldn't read it, because the client would be able to tell if it's there or
|
||||
not. Still needs work, I think.
|
||||
--- krb5-1.3/src/clients/ksu/ccache.c
|
||||
+++ krb5-1.3/src/clients/ksu/ccache.c
|
||||
@@ -77,7 +77,7 @@
|
||||
cc_def_name = krb5_cc_get_name(context, cc_def);
|
||||
cc_other_name = krb5_cc_get_name(context, *cc_other);
|
||||
|
||||
- if ( ! stat(cc_def_name, &st_temp)){
|
||||
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
|
||||
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
|
||||
return retval;
|
||||
}
|
||||
--- krb5-1.3/src/clients/ksu/heuristic.c
|
||||
+++ krb5-1.3/src/clients/ksu/heuristic.c
|
||||
@@ -412,7 +412,7 @@
|
||||
|
||||
cc_source_name = krb5_cc_get_name(context, cc);
|
||||
|
||||
- if ( ! stat(cc_source_name, &st_temp)){
|
||||
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
|
||||
|
||||
retval = find_ticket(context, cc, client, end_server, &temp_found);
|
||||
if (retval)
|
||||
@@ -572,7 +572,7 @@
|
||||
cc_source_name = krb5_cc_get_name(context, cc_source);
|
||||
|
||||
|
||||
- if (! stat(cc_source_name, &st_temp)) {
|
||||
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
|
||||
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
|
||||
if (retval)
|
||||
return retval;
|
||||
--- krb5-1.3/src/clients/ksu/main.c
|
||||
+++ krb5-1.3/src/clients/ksu/main.c
|
||||
@@ -263,7 +263,7 @@
|
||||
if ( strchr(cc_source_tag, ':')){
|
||||
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
|
||||
|
||||
- if( stat( cc_source_tag_tmp, &st_temp)){
|
||||
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
|
||||
com_err (prog_name, errno,
|
||||
"while looking for credentials file %s",
|
||||
cc_source_tag_tmp);
|
@ -1,14 +0,0 @@
|
||||
Set the default PATH to the one set by login, with the addition of the
|
||||
/usr/X11R6/bin to the end of the list.
|
||||
|
||||
--- krb5-1.5/src/clients/ksu/Makefile.in 2006-05-24 17:19:23.000000000 -0400
|
||||
+++ krb5-1.5/src/clients/ksu/Makefile.in 2006-07-05 14:24:41.000000000 -0400
|
||||
@@ -2,7 +2,7 @@
|
||||
myfulldir=clients/ksu
|
||||
mydir=clients/ksu
|
||||
BUILDTOP=$(REL)..$(S)..
|
||||
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin /usr/X11R6/bin"'
|
||||
DEFS=
|
||||
|
||||
PROG_LIBPATH=-L$(TOPLIBD)
|
@ -1,28 +0,0 @@
|
||||
The local crypt() may support hash types which use more than the first 8
|
||||
characters. It also doesn't modify the input string, so we should just
|
||||
stop truncating it. Are there platforms where the input string *is* modified?
|
||||
|
||||
--- krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:34.000000000 -0500
|
||||
+++ krb5-1.2.7/src/appl/bsd/login.c 2005-11-15 16:20:29.000000000 -0500
|
||||
@@ -461,17 +461,14 @@
|
||||
static int unix_passwd_okay (pass)
|
||||
char *pass;
|
||||
{
|
||||
- char user_pwcopy[9], *namep;
|
||||
+ char *namep;
|
||||
char *crypt ();
|
||||
|
||||
assert (pwd != 0);
|
||||
|
||||
- /* copy the first 8 chars of the password for unix crypt */
|
||||
- strncpy(user_pwcopy, pass, sizeof(user_pwcopy));
|
||||
- user_pwcopy[sizeof(user_pwcopy) - 1]='\0';
|
||||
- namep = crypt(user_pwcopy, salt);
|
||||
- memset (user_pwcopy, 0, sizeof(user_pwcopy));
|
||||
- /* ... and wipe the copy now that we have the string */
|
||||
+ namep = crypt(pass, salt);
|
||||
+ if (strlen(namep) < 13)
|
||||
+ return 0;
|
||||
|
||||
/* verify the local password string */
|
||||
#ifdef HAVE_SHADOW
|
@ -1,69 +0,0 @@
|
||||
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
|
||||
original version filed as RT#5891.
|
||||
|
||||
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
--- krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400
|
||||
+++ krb5-1.7/src/aclocal.m4 2009-06-04 14:38:07.000000000 -0400
|
||||
@@ -1746,6 +1746,12 @@ AC_ARG_WITH([edirectory],
|
||||
yes | no) ;;
|
||||
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
|
||||
esac], with_edirectory=no)dnl
|
||||
+AC_ARG_WITH([dirsrv],
|
||||
+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
|
||||
+[case "$withval" in
|
||||
+ yes | no) ;;
|
||||
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
|
||||
+esac], with_dirsrv=no)dnl
|
||||
|
||||
if test $with_ldap = yes; then
|
||||
if test $with_edirectory = yes; then
|
||||
@@ -1757,6 +1763,10 @@ elif test $with_edirectory = yes; then
|
||||
AC_MSG_NOTICE(enabling eDirectory database backend module support)
|
||||
OPENLDAP_PLUGIN=yes
|
||||
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
|
||||
+elif test $with_dirsrv = yes; then
|
||||
+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
|
||||
+ OPENLDAP_PLUGIN=yes
|
||||
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
|
||||
else
|
||||
: # neither enabled
|
||||
dnl AC_MSG_NOTICE(disabling ldap backend module support)
|
||||
diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||||
--- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-02-18 13:14:48.000000000 -0500
|
||||
+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2009-06-04 14:38:07.000000000 -0400
|
||||
@@ -2157,6 +2157,22 @@ populate_krb5_db_entry (krb5_context con
|
||||
}
|
||||
}
|
||||
#endif
|
||||
+#ifdef HAVE_DIRSRV
|
||||
+ {
|
||||
+ krb5_timestamp expiretime=0;
|
||||
+ char *is_login_disabled=NULL;
|
||||
+
|
||||
+ /* LOGIN DISABLED */
|
||||
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
|
||||
+ &attr_present)) != 0)
|
||||
+ goto cleanup;
|
||||
+ if (attr_present == TRUE) {
|
||||
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
|
||||
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
|
||||
+ free (is_login_disabled);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
|
||||
goto cleanup;
|
||||
diff -up krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||||
--- krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-04-14 17:07:34.000000000 -0400
|
||||
+++ krb5-1.7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2009-06-04 14:38:07.000000000 -0400
|
||||
@@ -58,6 +58,9 @@ char *principal_attributes[] = { "kr
|
||||
"loginexpirationtime",
|
||||
"logindisabled",
|
||||
#endif
|
||||
+#ifdef HAVE_DIRSRV
|
||||
+ "nsaccountlock",
|
||||
+#endif
|
||||
"krbLastPwdChange",
|
||||
"krbExtraData",
|
||||
"krbObjectReferences",
|
@ -1,17 +0,0 @@
|
||||
Don't warn of expiration reported the new way if it's more than a week from
|
||||
now, for consistency with the code that handles expiration times reported the
|
||||
old way.
|
||||
|
||||
diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c
|
||||
--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:12:02.000000000 -0500
|
||||
+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:11:50.000000000 -0500
|
||||
@@ -389,7 +389,8 @@ cleanup:
|
||||
delta / 86400, ts);
|
||||
/* ignore an error here */
|
||||
/* PROMPTER_INVOCATION */
|
||||
- (*prompter)(context, data, 0, banner, 0, 0);
|
||||
+ if (delta < 86400 * 7)
|
||||
+ (*prompter)(context, data, 0, banner, 0, 0);
|
||||
}
|
||||
}
|
||||
}
|
@ -1,29 +0,0 @@
|
||||
Use an in-memory ccache to silence a compiler warning.
|
||||
|
||||
diff -up krb5-1.7/src/slave/kprop.c krb5-1.7/src/slave/kprop.c
|
||||
--- krb5-1.7/src/slave/kprop.c 2008-12-01 12:09:59.000000000 -0500
|
||||
+++ krb5-1.7/src/slave/kprop.c 2009-06-04 14:14:10.000000000 -0400
|
||||
@@ -211,9 +211,8 @@ void PRS(argc, argv)
|
||||
void get_tickets(context)
|
||||
krb5_context context;
|
||||
{
|
||||
- char buf[BUFSIZ];
|
||||
+ char buf[] = "MEMORY:_kproptkt";
|
||||
krb5_error_code retval;
|
||||
- static char tkstring[] = "/tmp/kproptktXXXXXX";
|
||||
krb5_keytab keytab = NULL;
|
||||
|
||||
/*
|
||||
@@ -238,11 +237,8 @@ void get_tickets(context)
|
||||
#endif
|
||||
|
||||
/*
|
||||
- * Initialize cache file which we're going to be using
|
||||
+ * Initialize an in-memory cache for temporary use
|
||||
*/
|
||||
- (void) mktemp(tkstring);
|
||||
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
|
||||
-
|
||||
retval = krb5_cc_resolve(context, buf, &ccache);
|
||||
if (retval) {
|
||||
com_err(progname, retval, "while opening credential cache %s",
|
@ -1,17 +0,0 @@
|
||||
This isn't a proper fix (it doesn't actually switch to using the new API),
|
||||
but it'll do for now.
|
||||
diff -up src/plugins/preauth/pkinit/pkinit_crypto_openssl.c src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
||||
--- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c.openssl-1.0 2009-01-23 01:51:03.000000000 -0500
|
||||
+++ src/plugins/preauth/pkinit/pkinit_crypto_openssl.c 2009-08-24 11:19:35.000000000 -0400
|
||||
@@ -3652,7 +3652,11 @@ decode_data(unsigned char **out_data, un
|
||||
if (buf == NULL)
|
||||
goto cleanup;
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10000000L
|
||||
retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey);
|
||||
+#else
|
||||
+ retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey);
|
||||
+#endif
|
||||
if (retval <= 0) {
|
||||
pkiDebug("unable to decrypt received data (len=%d)\n", data_len);
|
||||
goto cleanup;
|
@ -1,14 +0,0 @@
|
||||
Check opte->flags instead of options->flags, because we know that opte has
|
||||
been initialized to the library defaults if options was NULL.
|
||||
diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c
|
||||
--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:52.000000000 -0500
|
||||
+++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:56.000000000 -0500
|
||||
@@ -200,7 +200,7 @@ krb5_get_init_creds_password(krb5_contex
|
||||
* to prompt. Prompting is only disabled if the option has been set
|
||||
* and the value has been set to false.
|
||||
*/
|
||||
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
|
||||
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
|
||||
goto cleanup;
|
||||
|
||||
/* ok, we have an expired password. Give the user a few chances
|
@ -1,66 +0,0 @@
|
||||
Handle ut_tv not always being a struct timeval. RT#6520
|
||||
|
||||
Index: krb5/src/appl/libpty/update_utmp.c
|
||||
===================================================================
|
||||
--- krb5/src/appl/libpty/update_utmp.c (revision 22423)
|
||||
+++ krb5/src/appl/libpty/update_utmp.c (working copy)
|
||||
@@ -291,6 +291,12 @@
|
||||
* The ut_exit field seems to exist in utmp, but not utmpx. The files
|
||||
* utmp and wtmp seem to exist, but not utmpx, or wtmpx.
|
||||
*
|
||||
+ * glibc:
|
||||
+ *
|
||||
+ * The ut_tv field of struct utmp/utmpx may be an anonymous structure
|
||||
+ * containing 32-bit values on systems where time_t is 64 bits. Its
|
||||
+ * fields have the same names, though.
|
||||
+ *
|
||||
* libpty Implementation Decisions:
|
||||
* --------------------------------
|
||||
*
|
||||
@@ -505,6 +511,8 @@
|
||||
const char *line, const char *host, int flags)
|
||||
{
|
||||
PTY_STRUCT_UTMPX utx, *utxtmp, utx2;
|
||||
+ struct timeval ut_tv;
|
||||
+ time_t login_time;
|
||||
const char *cp;
|
||||
size_t len;
|
||||
char utmp_id[5];
|
||||
@@ -577,10 +585,13 @@
|
||||
utxtmp = best_utxent(&utx);
|
||||
|
||||
#ifdef HAVE_SETUTXENT
|
||||
- if (gettimeofday(&utx.ut_tv, NULL))
|
||||
+ if (gettimeofday(&ut_tv, NULL))
|
||||
return errno;
|
||||
+ utx.ut_tv.tv_sec = ut_tv.tv_sec;
|
||||
+ utx.ut_tv.tv_usec = ut_tv.tv_usec;
|
||||
#else
|
||||
- (void)time(&utx.ut_time);
|
||||
+ (void)time(&login_time);
|
||||
+ utx.ut_time = login_time;
|
||||
#endif
|
||||
/*
|
||||
* On what system is there not ut_host? Unix98 doesn't mandate
|
||||
Index: krb5/src/appl/bsd/login.c
|
||||
===================================================================
|
||||
--- krb5/src/appl/bsd/login.c (revision 22423)
|
||||
+++ krb5/src/appl/bsd/login.c (working copy)
|
||||
@@ -719,7 +719,6 @@
|
||||
char *domain, **envinit, *ttyn, *tty;
|
||||
char tbuf[MAXPATHLEN + 2];
|
||||
char *ttyname(), *crypt(), *getpass();
|
||||
- time_t login_time;
|
||||
int retval;
|
||||
int rewrite_ccache = 1; /*try to write out ccache*/
|
||||
#ifdef KRB5_GET_TICKETS
|
||||
@@ -1071,9 +1070,6 @@
|
||||
|
||||
/* nothing else left to fail -- really log in */
|
||||
{
|
||||
- struct utmp utmp;
|
||||
-
|
||||
- login_time = time(&utmp.ut_time);
|
||||
if ((retval = pty_update_utmp(PTY_USER_PROCESS, getpid(), username,
|
||||
ttyn, hostname,
|
||||
PTY_TTYSLOT_USABLE)) < 0)
|
@ -1,32 +0,0 @@
|
||||
If we encounter any errors reading the user's principal name from the default
|
||||
ccache, fall back to the default of using the current user's name.
|
||||
--- krb5/src/clients/kpasswd/kpasswd.c
|
||||
+++ krb5/src/clients/kpasswd/kpasswd.c
|
||||
@@ -84,21 +84,23 @@ int main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
} else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
|
||||
+ princ = NULL;
|
||||
+
|
||||
if (ret) {
|
||||
com_err(argv[0], ret, "opening default ccache");
|
||||
- exit(1);
|
||||
}
|
||||
+ else
|
||||
|
||||
if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
|
||||
com_err(argv[0], ret, "getting principal from ccache");
|
||||
- exit(1);
|
||||
}
|
||||
+ else
|
||||
|
||||
if ((ret = krb5_cc_close(context, ccache))) {
|
||||
com_err(argv[0], ret, "closing ccache");
|
||||
- exit(1);
|
||||
}
|
||||
- } else {
|
||||
+ }
|
||||
+ if (princ == NULL) {
|
||||
get_name_from_passwd_file(argv[0], context, &princ);
|
||||
}
|
||||
|
@ -2,10 +2,10 @@ Reference docs don't define what happens if you call krb5_realm_compare() with
|
||||
malformed krb5_principal structures. Define a behavior which keeps it from
|
||||
crashing if applications don't check ahead of time.
|
||||
|
||||
diff -up krb5-1.7/src/lib/krb5/krb/princ_comp.c krb5-1.7/src/lib/krb5/krb/princ_comp.c
|
||||
--- krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-01-03 18:19:42.000000000 -0500
|
||||
+++ krb5-1.7/src/lib/krb5/krb/princ_comp.c 2009-06-04 14:31:26.000000000 -0400
|
||||
@@ -40,6 +40,12 @@ realm_compare_flags(krb5_context context
|
||||
diff -up krb5-1.8/src/lib/krb5/krb/princ_comp.c.api krb5-1.8/src/lib/krb5/krb/princ_comp.c
|
||||
--- krb5-1.8/src/lib/krb5/krb/princ_comp.c.api 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/lib/krb5/krb/princ_comp.c 2010-03-05 11:00:55.000000000 -0500
|
||||
@@ -41,6 +41,12 @@ realm_compare_flags(krb5_context context
|
||||
const krb5_data *realm1 = krb5_princ_realm(context, princ1);
|
||||
const krb5_data *realm2 = krb5_princ_realm(context, princ2);
|
||||
|
||||
@ -18,7 +18,7 @@ diff -up krb5-1.7/src/lib/krb5/krb/princ_comp.c krb5-1.7/src/lib/krb5/krb/princ_
|
||||
if (realm1->length != realm2->length)
|
||||
return FALSE;
|
||||
|
||||
@@ -91,6 +97,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
|
||||
krb5_principal upn2 = NULL;
|
||||
krb5_boolean ret = FALSE;
|
||||
|
69
krb5-1.8-dirsrv-accountlock.patch
Normal file
69
krb5-1.8-dirsrv-accountlock.patch
Normal file
@ -0,0 +1,69 @@
|
||||
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
|
||||
original version filed as RT#5891.
|
||||
|
||||
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
|
||||
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500
|
||||
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500
|
||||
@@ -1678,6 +1678,12 @@ AC_ARG_WITH([edirectory],
|
||||
yes | no) ;;
|
||||
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
|
||||
esac], with_edirectory=no)dnl
|
||||
+AC_ARG_WITH([dirsrv],
|
||||
+[ --with-dirsrv compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
|
||||
+[case "$withval" in
|
||||
+ yes | no) ;;
|
||||
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
|
||||
+esac], with_dirsrv=no)dnl
|
||||
|
||||
if test $with_ldap = yes; then
|
||||
if test $with_edirectory = yes; then
|
||||
@@ -1689,6 +1695,10 @@ elif test $with_edirectory = yes; then
|
||||
AC_MSG_NOTICE(enabling eDirectory database backend module support)
|
||||
OPENLDAP_PLUGIN=yes
|
||||
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
|
||||
+elif test $with_dirsrv = yes; then
|
||||
+ AC_MSG_NOTICE(enabling 389/Red Hat/Fedora/Netscape Directory Server database backend module support)
|
||||
+ OPENLDAP_PLUGIN=yes
|
||||
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
|
||||
else
|
||||
: # neither enabled
|
||||
dnl AC_MSG_NOTICE(disabling ldap backend module support)
|
||||
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
|
||||
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
|
||||
@@ -2101,6 +2101,22 @@ populate_krb5_db_entry(krb5_context cont
|
||||
}
|
||||
}
|
||||
#endif
|
||||
+#ifdef HAVE_DIRSRV
|
||||
+ {
|
||||
+ krb5_timestamp expiretime=0;
|
||||
+ char *is_login_disabled=NULL;
|
||||
+
|
||||
+ /* LOGIN DISABLED */
|
||||
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
|
||||
+ &attr_present)) != 0)
|
||||
+ goto cleanup;
|
||||
+ if (attr_present == TRUE) {
|
||||
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
|
||||
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
|
||||
+ free (is_login_disabled);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
|
||||
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
|
||||
goto cleanup;
|
||||
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
|
||||
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500
|
||||
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr
|
||||
"loginexpirationtime",
|
||||
"logindisabled",
|
||||
#endif
|
||||
+#ifdef HAVE_DIRSRV
|
||||
+ "nsaccountlock",
|
||||
+#endif
|
||||
"krbLastPwdChange",
|
||||
"krbExtraData",
|
||||
"krbObjectReferences",
|
17
krb5-1.8-exp_warn.patch
Normal file
17
krb5-1.8-exp_warn.patch
Normal file
@ -0,0 +1,17 @@
|
||||
Don't warn of expiration reported the new way if it's more than a week from
|
||||
now, for consistency with the code that handles expiration times reported the
|
||||
old way.
|
||||
|
||||
diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn krb5-1.8/src/lib/krb5/krb/gic_pwd.c
|
||||
--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.exp_warn 2010-03-05 11:04:10.000000000 -0500
|
||||
+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:04:10.000000000 -0500
|
||||
@@ -407,7 +407,8 @@ cleanup:
|
||||
delta / 86400, ts);
|
||||
/* ignore an error here */
|
||||
/* PROMPTER_INVOCATION */
|
||||
- (*prompter)(context, data, 0, banner, 0, 0);
|
||||
+ if (delta < 86400 * 7)
|
||||
+ (*prompter)(context, data, 0, banner, 0, 0);
|
||||
}
|
||||
}
|
||||
}
|
@ -1,8 +1,10 @@
|
||||
Sadique Puthen notes that the warning on the client side seems to be correspond
|
||||
to the wrong attribute on the KDC. Do what RFC4120 says we should do. RT#5755.
|
||||
--- krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:06.000000000 -0400
|
||||
+++ krb5-1.6.2/src/kdc/do_as_req.c 2007-06-25 15:49:08.000000000 -0400
|
||||
@@ -371,7 +371,14 @@ process_as_req(krb5_kdc_req *request, kr
|
||||
|
||||
diff -up krb5-1.8/src/kdc/do_as_req.c.key_exp krb5-1.8/src/kdc/do_as_req.c
|
||||
--- krb5-1.8/src/kdc/do_as_req.c.key_exp 2010-02-16 17:21:08.000000000 -0500
|
||||
+++ krb5-1.8/src/kdc/do_as_req.c 2010-03-05 11:02:06.000000000 -0500
|
||||
@@ -555,7 +555,14 @@ process_as_req(krb5_kdc_req *request, kr
|
||||
goto errout;
|
||||
}
|
||||
reply_encpart.nonce = request->nonce;
|
34
krb5-1.8-kpasswd_ccache.patch
Normal file
34
krb5-1.8-kpasswd_ccache.patch
Normal file
@ -0,0 +1,34 @@
|
||||
If we encounter any errors reading the user's principal name from the default
|
||||
ccache, fall back to the default of using the current user's name.
|
||||
|
||||
diff -up krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache krb5-1.8/src/clients/kpasswd/kpasswd.c
|
||||
--- krb5-1.8/src/clients/kpasswd/kpasswd.c.kpasswd-ccache 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/clients/kpasswd/kpasswd.c 2010-03-05 11:04:42.000000000 -0500
|
||||
@@ -85,21 +85,23 @@ int main(int argc, char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
} else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
|
||||
+ princ = NULL;
|
||||
+
|
||||
if (ret) {
|
||||
com_err(argv[0], ret, "opening default ccache");
|
||||
- exit(1);
|
||||
}
|
||||
+ else
|
||||
|
||||
if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
|
||||
com_err(argv[0], ret, "getting principal from ccache");
|
||||
- exit(1);
|
||||
}
|
||||
+ else
|
||||
|
||||
if ((ret = krb5_cc_close(context, ccache))) {
|
||||
com_err(argv[0], ret, "closing ccache");
|
||||
- exit(1);
|
||||
}
|
||||
- } else {
|
||||
+ }
|
||||
+ if (princ == NULL) {
|
||||
get_name_from_passwd_file(argv[0], context, &princ);
|
||||
}
|
||||
|
34
krb5-1.8-kpasswd_tcp.patch
Normal file
34
krb5-1.8-kpasswd_tcp.patch
Normal file
@ -0,0 +1,34 @@
|
||||
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
|
||||
to wait for UDP to fail, so this might not be ideal. RT #5868.
|
||||
|
||||
diff -up krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp krb5-1.8/src/lib/krb5/os/changepw.c
|
||||
--- krb5-1.8/src/lib/krb5/os/changepw.c.kpasswd_tcp 2009-12-02 13:06:19.000000000 -0500
|
||||
+++ krb5-1.8/src/lib/krb5/os/changepw.c 2010-03-05 11:02:39.000000000 -0500
|
||||
@@ -270,11 +270,22 @@ change_set_password(krb5_context context
|
||||
NULL,
|
||||
NULL
|
||||
))) {
|
||||
-
|
||||
- /*
|
||||
- * Here we may want to switch to TCP on some errors.
|
||||
- * right?
|
||||
- */
|
||||
+ /* if we're not using a stream socket, and it's an error which
|
||||
+ * might reasonably be specific to a datagram "connection", try
|
||||
+ * again with a stream socket */
|
||||
+ if (!useTcp) {
|
||||
+ switch (code) {
|
||||
+ case KRB5_KDC_UNREACH:
|
||||
+ case KRB5_REALM_CANT_RESOLVE:
|
||||
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
|
||||
+ /* should we do this for more result codes than these? */
|
||||
+ krb5int_free_addrlist (&al);
|
||||
+ useTcp = 1;
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
|
29
krb5-1.8-kprop-mktemp.patch
Normal file
29
krb5-1.8-kprop-mktemp.patch
Normal file
@ -0,0 +1,29 @@
|
||||
Use an in-memory ccache to silence a compiler warning.
|
||||
|
||||
diff -up krb5-1.8/src/slave/kprop.c.kprop-mktemp krb5-1.8/src/slave/kprop.c
|
||||
--- krb5-1.8/src/slave/kprop.c.kprop-mktemp 2009-11-06 18:29:12.000000000 -0500
|
||||
+++ krb5-1.8/src/slave/kprop.c 2010-03-05 10:59:06.000000000 -0500
|
||||
@@ -202,9 +202,8 @@ void PRS(argc, argv)
|
||||
void get_tickets(context)
|
||||
krb5_context context;
|
||||
{
|
||||
- char buf[BUFSIZ];
|
||||
+ char buf[] = "MEMORY:_kproptkt";
|
||||
krb5_error_code retval;
|
||||
- static char tkstring[] = "/tmp/kproptktXXXXXX";
|
||||
krb5_keytab keytab = NULL;
|
||||
|
||||
/*
|
||||
@@ -229,11 +228,8 @@ void get_tickets(context)
|
||||
#endif
|
||||
|
||||
/*
|
||||
- * Initialize cache file which we're going to be using
|
||||
+ * Initialize an in-memory cache for temporary use
|
||||
*/
|
||||
- (void) mktemp(tkstring);
|
||||
- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
|
||||
-
|
||||
retval = krb5_cc_resolve(context, buf, &ccache);
|
||||
if (retval) {
|
||||
com_err(progname, retval, "while opening credential cache %s",
|
49
krb5-1.8-ksu-access.patch
Normal file
49
krb5-1.8-ksu-access.patch
Normal file
@ -0,0 +1,49 @@
|
||||
The idea is to not complain about problems in the default ticket file if we
|
||||
couldn't read it, because the client would be able to tell if it's there or
|
||||
not. Still needs work, I think.
|
||||
|
||||
diff -up krb5-1.8/src/clients/ksu/ccache.c.ksu-access krb5-1.8/src/clients/ksu/ccache.c
|
||||
--- krb5-1.8/src/clients/ksu/ccache.c.ksu-access 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/clients/ksu/ccache.c 2010-03-05 10:57:56.000000000 -0500
|
||||
@@ -78,7 +78,7 @@ krb5_error_code krb5_ccache_copy (contex
|
||||
cc_def_name = krb5_cc_get_name(context, cc_def);
|
||||
cc_other_name = krb5_cc_get_name(context, *cc_other);
|
||||
|
||||
- if ( ! stat(cc_def_name, &st_temp)){
|
||||
+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
|
||||
if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
|
||||
return retval;
|
||||
}
|
||||
diff -up krb5-1.8/src/clients/ksu/heuristic.c.ksu-access krb5-1.8/src/clients/ksu/heuristic.c
|
||||
--- krb5-1.8/src/clients/ksu/heuristic.c.ksu-access 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/clients/ksu/heuristic.c 2010-03-05 10:57:56.000000000 -0500
|
||||
@@ -409,7 +409,7 @@ krb5_error_code find_either_ticket (cont
|
||||
|
||||
cc_source_name = krb5_cc_get_name(context, cc);
|
||||
|
||||
- if ( ! stat(cc_source_name, &st_temp)){
|
||||
+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
|
||||
|
||||
retval = find_ticket(context, cc, client, end_server, &temp_found);
|
||||
if (retval)
|
||||
@@ -569,7 +569,7 @@ krb5_error_code get_best_princ_for_targe
|
||||
cc_source_name = krb5_cc_get_name(context, cc_source);
|
||||
|
||||
|
||||
- if (! stat(cc_source_name, &st_temp)) {
|
||||
+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
|
||||
retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
|
||||
if (retval)
|
||||
return retval;
|
||||
diff -up krb5-1.8/src/clients/ksu/main.c.ksu-access krb5-1.8/src/clients/ksu/main.c
|
||||
--- krb5-1.8/src/clients/ksu/main.c.ksu-access 2010-03-05 10:57:55.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:57:56.000000000 -0500
|
||||
@@ -270,7 +270,7 @@ main (argc, argv)
|
||||
if ( strchr(cc_source_tag, ':')){
|
||||
cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
|
||||
|
||||
- if( stat( cc_source_tag_tmp, &st_temp)){
|
||||
+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
|
||||
com_err (prog_name, errno,
|
||||
"while looking for credentials file %s",
|
||||
cc_source_tag_tmp);
|
13
krb5-1.8-ksu-path.patch
Normal file
13
krb5-1.8-ksu-path.patch
Normal file
@ -0,0 +1,13 @@
|
||||
Set the default PATH to the one set by login.
|
||||
|
||||
diff -up krb5-1.8/src/clients/ksu/Makefile.in.ksu-path krb5-1.8/src/clients/ksu/Makefile.in
|
||||
--- krb5-1.8/src/clients/ksu/Makefile.in.ksu-path 2010-03-05 10:58:25.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 10:58:25.000000000 -0500
|
||||
@@ -1,6 +1,6 @@
|
||||
mydir=clients/ksu
|
||||
BUILDTOP=$(REL)..$(S)..
|
||||
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
|
||||
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /usr/sbin /bin /usr/bin"'
|
||||
DEFS=
|
||||
|
||||
PROG_LIBPATH=-L$(TOPLIBD)
|
@ -1,77 +1,12 @@
|
||||
Change the absolute paths included in the man pages so that the correct
|
||||
values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. RT#6525
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
|
||||
Index: configure.in
|
||||
===================================================================
|
||||
--- configure.in (revision 22425)
|
||||
+++ configure.in (working copy)
|
||||
@@ -1043,6 +1043,16 @@
|
||||
KRB5_WITH_PAM
|
||||
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ appl/sample/sserver/sserver.M
|
||||
+ config-files/kdc.conf.M
|
||||
+ config-files/krb5.conf.M
|
||||
+ kadmin/cli/kadmin.M
|
||||
+ slave/kpropd.M
|
||||
+ slave/kprop.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
util util/support util/profile util/send-pr
|
||||
Index: appl/gssftp/configure.in
|
||||
===================================================================
|
||||
--- appl/gssftp/configure.in (revision 22425)
|
||||
+++ appl/gssftp/configure.in (working copy)
|
||||
@@ -65,4 +65,9 @@
|
||||
dnl
|
||||
dnl
|
||||
KRB5_BUILD_PROGRAM
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ ftpd/ftpd.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(. ftp ftpd)
|
||||
Index: appl/bsd/configure.in
|
||||
===================================================================
|
||||
--- appl/bsd/configure.in (revision 22425)
|
||||
+++ appl/bsd/configure.in (working copy)
|
||||
@@ -156,4 +156,10 @@
|
||||
|
||||
KRB5_AC_LIBUTIL
|
||||
KRB5_BUILD_PROGRAM
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ klogind.M
|
||||
+ kshd.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE
|
||||
Index: appl/telnet/configure.in
|
||||
===================================================================
|
||||
--- appl/telnet/configure.in (revision 22425)
|
||||
+++ appl/telnet/configure.in (working copy)
|
||||
@@ -161,4 +161,9 @@
|
||||
LIBS="$old_LIBS"
|
||||
dnl
|
||||
KRB5_AC_LIBUTIL
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ telnetd/telnetd.8
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(. libtelnet telnet telnetd)
|
||||
Index: aclocal.m4
|
||||
===================================================================
|
||||
--- aclocal.m4 (revision 22425)
|
||||
+++ aclocal.m4 (working copy)
|
||||
@@ -1854,3 +1854,24 @@
|
||||
diff -up krb5-1.8/src/aclocal.m4.manpaths krb5-1.8/src/aclocal.m4
|
||||
--- krb5-1.8/src/aclocal.m4.manpaths 2010-03-05 10:55:28.000000000 -0500
|
||||
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -1770,3 +1770,24 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
@ -96,11 +31,10 @@ Index: aclocal.m4
|
||||
+AC_SUBST(manlibexecdir)
|
||||
+AC_CONFIG_FILES($1)
|
||||
+])
|
||||
Index: appl/sample/sserver/sserver.M
|
||||
===================================================================
|
||||
--- appl/sample/sserver/sserver.M (revision 22425)
|
||||
+++ appl/sample/sserver/sserver.M (working copy)
|
||||
@@ -59,7 +59,7 @@
|
||||
diff -up krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths krb5-1.8/src/appl/sample/sserver/sserver.M
|
||||
--- krb5-1.8/src/appl/sample/sserver/sserver.M.manpaths 1999-09-24 17:20:59.000000000 -0400
|
||||
+++ krb5-1.8/src/appl/sample/sserver/sserver.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -59,7 +59,7 @@ option allows for a different keytab tha
|
||||
using a line in
|
||||
/etc/inetd.conf that looks like this:
|
||||
.PP
|
||||
@ -109,97 +43,10 @@ Index: appl/sample/sserver/sserver.M
|
||||
.PP
|
||||
Since \fBsample\fP is normally not a port defined in /etc/services, you will
|
||||
usually have to add a line to /etc/services which looks like this:
|
||||
Index: appl/bsd/klogind.M
|
||||
===================================================================
|
||||
--- appl/bsd/klogind.M (revision 22425)
|
||||
+++ appl/bsd/klogind.M (working copy)
|
||||
@@ -27,7 +27,7 @@
|
||||
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
|
||||
configuration line for \fIklogind\fP might be:
|
||||
|
||||
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
|
||||
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
|
||||
|
||||
When a service request is received, the following protocol is initiated:
|
||||
|
||||
Index: appl/bsd/kshd.M
|
||||
===================================================================
|
||||
--- appl/bsd/kshd.M (revision 22425)
|
||||
+++ appl/bsd/kshd.M (working copy)
|
||||
@@ -8,7 +8,7 @@
|
||||
.SH NAME
|
||||
kshd \- kerberized remote shell server
|
||||
.SH SYNOPSIS
|
||||
-.B /usr/local/sbin/kshd
|
||||
+.B @mansbindir@/kshd
|
||||
[
|
||||
.B \-kr45ec
|
||||
]
|
||||
@@ -30,7 +30,7 @@
|
||||
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
|
||||
configuration line for \fIkrshd\fP might be:
|
||||
|
||||
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
|
||||
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
|
||||
|
||||
When a service request is received, the following protocol is initiated:
|
||||
|
||||
Index: appl/telnet/telnetd/telnetd.8
|
||||
===================================================================
|
||||
--- appl/telnet/telnetd/telnetd.8 (revision 22425)
|
||||
+++ appl/telnet/telnetd/telnetd.8 (working copy)
|
||||
@@ -37,7 +37,7 @@
|
||||
.SM DARPA TELNET
|
||||
protocol server
|
||||
.SH SYNOPSIS
|
||||
-.B /usr/libexec/telnetd
|
||||
+.B @mansbindir@/telnetd
|
||||
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
|
||||
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
|
||||
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
|
||||
Index: appl/gssftp/ftpd/ftpd.M
|
||||
===================================================================
|
||||
--- appl/gssftp/ftpd/ftpd.M (revision 22425)
|
||||
+++ appl/gssftp/ftpd/ftpd.M (working copy)
|
||||
@@ -35,7 +35,7 @@
|
||||
.SH NAME
|
||||
ftpd \- DARPA Internet File Transfer Protocol server
|
||||
.SH SYNOPSIS
|
||||
-.B ftpd
|
||||
+.B @mansbindir@/ftpd
|
||||
[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
|
||||
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
|
||||
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
|
||||
Index: kadmin/cli/kadmin.M
|
||||
===================================================================
|
||||
--- kadmin/cli/kadmin.M (revision 22425)
|
||||
+++ kadmin/cli/kadmin.M (working copy)
|
||||
@@ -850,9 +850,9 @@
|
||||
.RS
|
||||
.TP
|
||||
EXAMPLE:
|
||||
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
|
||||
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
|
||||
Entry for principal kadmin/admin with kvno 3 removed
|
||||
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
|
||||
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
|
||||
kadmin:
|
||||
.RE
|
||||
.fi
|
||||
@@ -894,7 +894,7 @@
|
||||
.SH HISTORY
|
||||
The
|
||||
.B kadmin
|
||||
-prorgam was originally written by Tom Yu at MIT, as an interface to the
|
||||
+program was originally written by Tom Yu at MIT, as an interface to the
|
||||
OpenVision Kerberos administration program.
|
||||
.SH SEE ALSO
|
||||
.IR kerberos (1),
|
||||
Index: config-files/kdc.conf.M
|
||||
===================================================================
|
||||
--- config-files/kdc.conf.M (revision 22425)
|
||||
+++ config-files/kdc.conf.M (working copy)
|
||||
@@ -82,14 +82,14 @@
|
||||
diff -up krb5-1.8/src/config-files/kdc.conf.M.manpaths krb5-1.8/src/config-files/kdc.conf.M
|
||||
--- krb5-1.8/src/config-files/kdc.conf.M.manpaths 2010-01-04 14:34:33.000000000 -0500
|
||||
+++ krb5-1.8/src/config-files/kdc.conf.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -82,14 +82,14 @@ This
|
||||
.B string
|
||||
specifies the location of the access control list (acl) file that
|
||||
kadmin uses to determine which principals are allowed which permissions
|
||||
@ -216,7 +63,7 @@ Index: config-files/kdc.conf.M
|
||||
|
||||
.IP database_name
|
||||
This
|
||||
@@ -257,7 +257,7 @@
|
||||
@@ -254,7 +254,7 @@ tickets should be checked against the tr
|
||||
realm names and the [capaths] section of its krb5.conf file
|
||||
|
||||
.SH FILES
|
||||
@ -225,11 +72,10 @@ Index: config-files/kdc.conf.M
|
||||
|
||||
.SH SEE ALSO
|
||||
krb5.conf(5), krb5kdc(8)
|
||||
Index: config-files/krb5.conf.M
|
||||
===================================================================
|
||||
--- config-files/krb5.conf.M (revision 22425)
|
||||
+++ config-files/krb5.conf.M (working copy)
|
||||
@@ -643,6 +643,6 @@
|
||||
diff -up krb5-1.8/src/config-files/krb5.conf.M.manpaths krb5-1.8/src/config-files/krb5.conf.M
|
||||
--- krb5-1.8/src/config-files/krb5.conf.M.manpaths 2010-02-25 15:14:21.000000000 -0500
|
||||
+++ krb5-1.8/src/config-files/krb5.conf.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -651,6 +651,6 @@ is whitespace-separated. The LDAP server
|
||||
This LDAP specific tag indicates the number of connections to be maintained per
|
||||
LDAP server.
|
||||
.SH FILES
|
||||
@ -237,42 +83,63 @@ Index: config-files/krb5.conf.M
|
||||
+@mansysconfdir@/krb5.conf
|
||||
.SH SEE ALSO
|
||||
syslog(3)
|
||||
Index: slave/kprop.M
|
||||
===================================================================
|
||||
--- slave/kprop.M (revision 22425)
|
||||
+++ slave/kprop.M (working copy)
|
||||
@@ -39,7 +39,7 @@
|
||||
This is done by transmitting the dumped database file to the slave
|
||||
server over an encrypted, secure channel. The dump file must be created
|
||||
by kdb5_util, and is normally KPROP_DEFAULT_FILE
|
||||
-(/usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.SH OPTIONS
|
||||
diff -up krb5-1.8/src/configure.in.manpaths krb5-1.8/src/configure.in
|
||||
--- krb5-1.8/src/configure.in.manpaths 2010-03-05 10:55:29.000000000 -0500
|
||||
+++ krb5-1.8/src/configure.in 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -1054,6 +1054,16 @@ fi
|
||||
KRB5_WITH_PAM
|
||||
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
+
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ appl/sample/sserver/sserver.M
|
||||
+ config-files/kdc.conf.M
|
||||
+ config-files/krb5.conf.M
|
||||
+ kadmin/cli/kadmin.M
|
||||
+ slave/kpropd.M
|
||||
+ slave/kprop.M
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
util util/support util/profile util/send-pr
|
||||
diff -up krb5-1.8/src/kadmin/cli/kadmin.M.manpaths krb5-1.8/src/kadmin/cli/kadmin.M
|
||||
--- krb5-1.8/src/kadmin/cli/kadmin.M.manpaths 2010-01-04 14:59:25.000000000 -0500
|
||||
+++ krb5-1.8/src/kadmin/cli/kadmin.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -869,9 +869,9 @@ option is specified, less verbose status
|
||||
.RS
|
||||
.TP
|
||||
\fB\-r\fP \fIrealm\fP
|
||||
@@ -51,7 +51,7 @@
|
||||
\fB\-f\fP \fIfile\fP
|
||||
specifies the filename where the dumped principal database file is to be
|
||||
found; by default the dumped database file is KPROP_DEFAULT_FILE
|
||||
-(normally /usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.TP
|
||||
\fB\-P\fP \fIport\fP
|
||||
specifies the port to use to contact the
|
||||
Index: slave/kpropd.M
|
||||
===================================================================
|
||||
--- slave/kpropd.M (revision 22425)
|
||||
+++ slave/kpropd.M (working copy)
|
||||
@@ -74,7 +74,7 @@
|
||||
EXAMPLE:
|
||||
-kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
|
||||
+kadmin: ktremove -k @manlocalstatedir@/krb5kdc/kadmind.keytab kadmin/admin
|
||||
Entry for principal kadmin/admin with kvno 3 removed
|
||||
- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
|
||||
+ from keytab WRFILE:@manlocalstatedir@/krb5kdc/kadmind.keytab.
|
||||
kadmin:
|
||||
.RE
|
||||
.fi
|
||||
@@ -913,7 +913,7 @@ passwords.
|
||||
.SH HISTORY
|
||||
The
|
||||
.B kadmin
|
||||
-prorgam was originally written by Tom Yu at MIT, as an interface to the
|
||||
+program was originally written by Tom Yu at MIT, as an interface to the
|
||||
OpenVision Kerberos administration program.
|
||||
.SH SEE ALSO
|
||||
.IR kerberos (1),
|
||||
diff -up krb5-1.8/src/slave/kpropd.M.manpaths krb5-1.8/src/slave/kpropd.M
|
||||
--- krb5-1.8/src/slave/kpropd.M.manpaths 2009-12-30 23:21:34.000000000 -0500
|
||||
+++ krb5-1.8/src/slave/kpropd.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
|
||||
This is done by adding a line to the inetd.conf file which looks like
|
||||
this:
|
||||
|
||||
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
|
||||
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
|
||||
|
||||
However, kpropd can also run as a standalone deamon, if the
|
||||
However, kpropd can also run as a standalone daemon, if the
|
||||
.B \-S
|
||||
@@ -111,13 +111,13 @@
|
||||
@@ -111,13 +111,13 @@ is used.
|
||||
\fB\-f\fP \fIfile\fP
|
||||
specifies the filename where the dumped principal database file is to be
|
||||
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
|
||||
@ -288,7 +155,7 @@ Index: slave/kpropd.M
|
||||
.TP
|
||||
.B \-S
|
||||
turn on standalone mode. Normally, kpropd is invoked out of
|
||||
@@ -148,14 +148,14 @@
|
||||
@@ -148,14 +148,14 @@ mode.
|
||||
allows the user to specify the path to the
|
||||
kpropd.acl
|
||||
file; by default the path used is KPROPD_ACL_FILE
|
||||
@ -305,3 +172,24 @@ Index: slave/kpropd.M
|
||||
Each entry is a line containing the principal of a host from which the
|
||||
local machine will allow Kerberos database propagation via kprop.
|
||||
.SH SEE ALSO
|
||||
diff -up krb5-1.8/src/slave/kprop.M.manpaths krb5-1.8/src/slave/kprop.M
|
||||
--- krb5-1.8/src/slave/kprop.M.manpaths 1999-09-24 17:20:59.000000000 -0400
|
||||
+++ krb5-1.8/src/slave/kprop.M 2010-03-05 10:55:29.000000000 -0500
|
||||
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
|
||||
This is done by transmitting the dumped database file to the slave
|
||||
server over an encrypted, secure channel. The dump file must be created
|
||||
by kdb5_util, and is normally KPROP_DEFAULT_FILE
|
||||
-(/usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(@manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
\fB\-r\fP \fIrealm\fP
|
||||
@@ -51,7 +51,7 @@ is used.
|
||||
\fB\-f\fP \fIfile\fP
|
||||
specifies the filename where the dumped principal database file is to be
|
||||
found; by default the dumped database file is KPROP_DEFAULT_FILE
|
||||
-(normally /usr/local/var/krb5kdc/slave_datatrans).
|
||||
+(normally @manlocalstatedir@/krb5kdc/slave_datatrans).
|
||||
.TP
|
||||
\fB\-P\fP \fIport\fP
|
||||
specifies the port to use to contact the
|
33
krb5-1.8-opte.patch
Normal file
33
krb5-1.8-opte.patch
Normal file
@ -0,0 +1,33 @@
|
||||
Fall back to the library default for whether or not to prompt for a password-
|
||||
change during authentication, if we weren't passed any options.
|
||||
|
||||
diff -up krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte krb5-1.8/src/lib/krb5/krb/gic_pwd.c
|
||||
--- krb5-1.8/src/lib/krb5/krb/gic_pwd.c.opte 2009-12-23 11:00:05.000000000 -0500
|
||||
+++ krb5-1.8/src/lib/krb5/krb/gic_pwd.c 2010-03-05 11:03:42.000000000 -0500
|
||||
@@ -123,6 +123,7 @@ krb5_get_init_creds_password(krb5_contex
|
||||
int tries;
|
||||
krb5_creds chpw_creds;
|
||||
krb5_get_init_creds_opt *chpw_opts = NULL;
|
||||
+ krb5_gic_opt_ext *opte = NULL;
|
||||
krb5_data pw0, pw1;
|
||||
char banner[1024], pw0array[1024], pw1array[1024];
|
||||
krb5_prompt prompt[2];
|
||||
@@ -218,7 +219,8 @@ krb5_get_init_creds_password(krb5_contex
|
||||
* to prompt. Prompting is only disabled if the option has been set
|
||||
* and the value has been set to false.
|
||||
*/
|
||||
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
|
||||
+ krb5int_gic_opt_to_opte(context, options, &opte, 1, NULL);
|
||||
+ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
|
||||
goto cleanup;
|
||||
|
||||
/* ok, we have an expired password. Give the user a few chances
|
||||
@@ -332,6 +334,8 @@ krb5_get_init_creds_password(krb5_contex
|
||||
&use_master, &as_reply);
|
||||
|
||||
cleanup:
|
||||
+ if (opte != options)
|
||||
+ krb5_get_init_creds_opt_free(context, opte);
|
||||
krb5int_set_prompt_types(context, 0);
|
||||
/* if getting the password was successful, then check to see if the
|
||||
password is about to expire, and warn if so */
|
724
krb5-1.8-pam.patch
Normal file
724
krb5-1.8-pam.patch
Normal file
@ -0,0 +1,724 @@
|
||||
Modify ksu so that it performs account and session management for the
|
||||
target user account, mimicking the action of regular su. The default
|
||||
service name is "ksu", because on Fedora at least the configuration used
|
||||
is determined by whether or not a login shell is being opened, and so
|
||||
this may need to vary, too. At run-time, ksu's behavior can be reset to
|
||||
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
|
||||
section of /etc/krb5.conf.
|
||||
|
||||
When enabled, ksu gains a dependency on libpam.
|
||||
|
||||
Originally RT#5939, needs updating for 1.8.
|
||||
|
||||
diff -up krb5-1.8/src/aclocal.m4.pam krb5-1.8/src/aclocal.m4
|
||||
--- krb5-1.8/src/aclocal.m4.pam 2009-11-22 12:00:45.000000000 -0500
|
||||
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:48:08.000000000 -0500
|
||||
@@ -1703,3 +1703,70 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
]))
|
||||
])dnl
|
||||
dnl
|
||||
+dnl
|
||||
+dnl Use PAM instead of local crypt() compare for checking local passwords,
|
||||
+dnl and perform PAM account, session management, and password-changing where
|
||||
+dnl appropriate.
|
||||
+dnl
|
||||
+AC_DEFUN(KRB5_WITH_PAM,[
|
||||
+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])],
|
||||
+ withpam="$withval",withpam=auto)
|
||||
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
|
||||
+ withksupamservice="$withval",withksupamservice=ksu)
|
||||
+old_LIBS="$LIBS"
|
||||
+if test "$withpam" != no ; then
|
||||
+ AC_MSG_RESULT([checking for PAM...])
|
||||
+ PAM_LIBS=
|
||||
+
|
||||
+ AC_CHECK_HEADERS(security/pam_appl.h)
|
||||
+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then
|
||||
+ if test "$withpam" = auto ; then
|
||||
+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.])
|
||||
+ withpam=no
|
||||
+ else
|
||||
+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.])
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ LIBS=
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ AC_CHECK_FUNCS(putenv pam_start)
|
||||
+ if test "x$ac_cv_func_pam_start" = xno ; then
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ AC_CHECK_LIB(dl,dlopen)
|
||||
+ AC_CHECK_FUNCS(pam_start)
|
||||
+ if test "x$ac_cv_func_pam_start" = xno ; then
|
||||
+ AC_CHECK_LIB(pam,pam_start)
|
||||
+ unset ac_cv_func_pam_start
|
||||
+ unset ac_cv_func_pam_getenvlist
|
||||
+ AC_CHECK_FUNCS(pam_start pam_getenvlist)
|
||||
+ if test "x$ac_cv_func_pam_start" = xyes ; then
|
||||
+ PAM_LIBS="$LIBS"
|
||||
+ else
|
||||
+ if test "$withpam" = auto ; then
|
||||
+ AC_MSG_RESULT([Unable to locate libpam.])
|
||||
+ withpam=no
|
||||
+ else
|
||||
+ AC_MSG_ERROR([Unable to locate libpam.])
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+ if test "$withpam" != no ; then
|
||||
+ AC_MSG_NOTICE([building with PAM support])
|
||||
+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM])
|
||||
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
|
||||
+ [Define to the name of the PAM service name to be used by ksu.])
|
||||
+ PAM_LIBS="$LIBS"
|
||||
+ NON_PAM_MAN=".\\\" "
|
||||
+ PAM_MAN=
|
||||
+ else
|
||||
+ PAM_MAN=".\\\" "
|
||||
+ NON_PAM_MAN=
|
||||
+ fi
|
||||
+fi
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(PAM_LIBS)
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
|
||||
--- krb5-1.8/src/clients/ksu/main.c.pam 2009-11-02 22:27:56.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/main.c 2010-03-05 10:48:08.000000000 -0500
|
||||
@@ -26,6 +26,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
|
||||
+#include "autoconf.h"
|
||||
#include "ksu.h"
|
||||
#include "adm_proto.h"
|
||||
#include <sys/types.h>
|
||||
@@ -33,6 +34,10 @@
|
||||
#include <signal.h>
|
||||
#include <grp.h>
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+#include "pam.h"
|
||||
+#endif
|
||||
+
|
||||
/* globals */
|
||||
char * prog_name;
|
||||
int auth_debug =0;
|
||||
@@ -40,6 +45,7 @@ char k5login_path[MAXPATHLEN];
|
||||
char k5users_path[MAXPATHLEN];
|
||||
char * gb_err = NULL;
|
||||
int quiet = 0;
|
||||
+int force_fork = 0;
|
||||
/***********/
|
||||
|
||||
#define _DEF_CSH "/bin/csh"
|
||||
@@ -586,6 +592,25 @@ main (argc, argv)
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
|
||||
+ NULL, source_user,
|
||||
+ ttyname(STDERR_FILENO)) != 0) {
|
||||
+ fprintf(stderr, "Access denied for %s.\n", target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if (appl_pam_requires_chauthtok()) {
|
||||
+ fprintf(stderr, "Password change required for %s.\n",
|
||||
+ target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ force_fork++;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, "while switching to target for authorization check");
|
||||
@@ -792,7 +817,7 @@ main (argc, argv)
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
- if( keep_target_cache ) {
|
||||
+ if( keep_target_cache && !force_fork ) {
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s",
|
||||
params[0]);
|
||||
@@ -800,6 +825,33 @@ main (argc, argv)
|
||||
exit(1);
|
||||
}else{
|
||||
statusp = 1;
|
||||
+
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_session_open() != 0) {
|
||||
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Opened PAM session.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ if (appl_pam_cred_init()) {
|
||||
+ fprintf(stderr, "Error initializing credentials for %s.\n",
|
||||
+ target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Initialized PAM credentials.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
switch ((child_pid = fork())) {
|
||||
default:
|
||||
if (auth_debug){
|
||||
@@ -823,15 +875,34 @@ main (argc, argv)
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, "while calling waitpid");
|
||||
}
|
||||
- sweep_up(ksu_context, cc_target);
|
||||
+ if( !keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (statusp);
|
||||
case -1:
|
||||
com_err(prog_name, errno, "while trying to fork.");
|
||||
sweep_up(ksu_context, cc_target);
|
||||
exit (1);
|
||||
case 0:
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_setenv() != 0) {
|
||||
+ fprintf(stderr, "Error setting up environment for %s.\n",
|
||||
+ target_user);
|
||||
+ exit (1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Set up PAM environment.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s", params[0]);
|
||||
+ if( keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
diff -up krb5-1.8/src/clients/ksu/Makefile.in.pam krb5-1.8/src/clients/ksu/Makefile.in
|
||||
--- krb5-1.8/src/clients/ksu/Makefile.in.pam 2009-11-22 13:13:29.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/Makefile.in 2010-03-05 11:55:14.000000000 -0500
|
||||
@@ -7,12 +7,14 @@
|
||||
PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
KSU_LIBS=@KSU_LIBS@
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
SRCS = \
|
||||
$(srcdir)/krb_auth_su.c \
|
||||
$(srcdir)/ccache.c \
|
||||
$(srcdir)/authorization.c \
|
||||
$(srcdir)/main.c \
|
||||
+ $(srcdir)/pam.c \
|
||||
$(srcdir)/heuristic.c \
|
||||
$(srcdir)/xmalloc.c \
|
||||
$(srcdir)/setenv.c
|
||||
@@ -21,13 +23,17 @@ OBJS = \
|
||||
ccache.o \
|
||||
authorization.o \
|
||||
main.o \
|
||||
+ pam.o \
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all:: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||
+
|
||||
+pam.o: pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean::
|
||||
$(RM) ksu
|
||||
diff -up krb5-1.8/src/clients/ksu/pam.c.pam krb5-1.8/src/clients/ksu/pam.c
|
||||
--- krb5-1.8/src/clients/ksu/pam.c.pam 2010-03-05 10:48:08.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/pam.c 2010-03-05 10:48:08.000000000 -0500
|
||||
@@ -0,0 +1,389 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.c
|
||||
+ *
|
||||
+ * Copyright 2007,2009,2010 Red Hat, Inc.
|
||||
+ *
|
||||
+ * All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
+ *
|
||||
+ * Redistributions of source code must retain the above copyright notice, this
|
||||
+ * list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * Redistributions in binary form must reproduce the above copyright notice,
|
||||
+ * this list of conditions and the following disclaimer in the documentation
|
||||
+ * and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
|
||||
+ * used to endorse or promote products derived from this software without
|
||||
+ * specific prior written permission.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
+ * POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Convenience wrappers for using PAM.
|
||||
+ */
|
||||
+
|
||||
+#include "autoconf.h"
|
||||
+#ifdef USE_PAM
|
||||
+#include <sys/types.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include "k5-int.h"
|
||||
+#include "pam.h"
|
||||
+
|
||||
+#ifndef MAXPWSIZE
|
||||
+#define MAXPWSIZE 128
|
||||
+#endif
|
||||
+
|
||||
+static int appl_pam_started;
|
||||
+static pid_t appl_pam_starter = -1;
|
||||
+static int appl_pam_session_opened;
|
||||
+static int appl_pam_creds_initialized;
|
||||
+static int appl_pam_pwchange_required;
|
||||
+static pam_handle_t *appl_pamh;
|
||||
+static struct pam_conv appl_pam_conv;
|
||||
+static char *appl_pam_user;
|
||||
+struct appl_pam_non_interactive_args {
|
||||
+ const char *user;
|
||||
+ const char *password;
|
||||
+};
|
||||
+
|
||||
+int
|
||||
+appl_pam_enabled(krb5_context context, const char *section)
|
||||
+{
|
||||
+ int enabled = 1;
|
||||
+ if ((context != NULL) && (context->profile != NULL)) {
|
||||
+ if (profile_get_boolean(context->profile,
|
||||
+ section,
|
||||
+ USE_PAM_CONFIGURATION_KEYWORD,
|
||||
+ NULL,
|
||||
+ enabled, &enabled) != 0) {
|
||||
+ enabled = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return enabled;
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+appl_pam_cleanup(void)
|
||||
+{
|
||||
+ if (getpid() != appl_pam_starter) {
|
||||
+ return;
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ printf("Called to clean up PAM.\n");
|
||||
+#endif
|
||||
+ if (appl_pam_creds_initialized) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Deleting PAM credentials.\n");
|
||||
+#endif
|
||||
+ pam_setcred(appl_pamh, PAM_DELETE_CRED);
|
||||
+ appl_pam_creds_initialized = 0;
|
||||
+ }
|
||||
+ if (appl_pam_session_opened) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Closing PAM session.\n");
|
||||
+#endif
|
||||
+ pam_close_session(appl_pamh, 0);
|
||||
+ appl_pam_session_opened = 0;
|
||||
+ }
|
||||
+ appl_pam_pwchange_required = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Shutting down PAM.\n");
|
||||
+#endif
|
||||
+ pam_end(appl_pamh, 0);
|
||||
+ appl_pam_started = 0;
|
||||
+ appl_pam_starter = -1;
|
||||
+ free(appl_pam_user);
|
||||
+ appl_pam_user = NULL;
|
||||
+ }
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg,
|
||||
+ struct pam_response **presp, void *appdata_ptr)
|
||||
+{
|
||||
+ const struct pam_message *message;
|
||||
+ struct pam_response *resp;
|
||||
+ int i, code;
|
||||
+ char *pwstring, pwbuf[MAXPWSIZE];
|
||||
+ unsigned int pwsize;
|
||||
+ resp = malloc(sizeof(struct pam_response) * num_msg);
|
||||
+ if (resp == NULL) {
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
|
||||
+ code = PAM_SUCCESS;
|
||||
+ for (i = 0; i < num_msg; i++) {
|
||||
+ message = &(msg[0][i]); /* XXX */
|
||||
+ message = msg[i]; /* XXX */
|
||||
+ pwstring = NULL;
|
||||
+ switch (message->msg_style) {
|
||||
+ case PAM_TEXT_INFO:
|
||||
+ case PAM_ERROR_MSG:
|
||||
+ printf("[%s]\n", message->msg ? message->msg : "");
|
||||
+ fflush(stdout);
|
||||
+ resp[i].resp = NULL;
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ break;
|
||||
+ case PAM_PROMPT_ECHO_ON:
|
||||
+ case PAM_PROMPT_ECHO_OFF:
|
||||
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
|
||||
+ if (fgets(pwbuf, sizeof(pwbuf),
|
||||
+ stdin) != NULL) {
|
||||
+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0';
|
||||
+ pwstring = pwbuf;
|
||||
+ }
|
||||
+ } else {
|
||||
+ pwstring = getpass(message->msg ?
|
||||
+ message->msg :
|
||||
+ "");
|
||||
+ }
|
||||
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
|
||||
+ pwsize = strlen(pwstring);
|
||||
+ resp[i].resp = malloc(pwsize + 1);
|
||||
+ if (resp[i].resp == NULL) {
|
||||
+ resp[i].resp_retcode = PAM_BUF_ERR;
|
||||
+ } else {
|
||||
+ memcpy(resp[i].resp, pwstring, pwsize);
|
||||
+ resp[i].resp[pwsize] = '\0';
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ }
|
||||
+ } else {
|
||||
+ resp[i].resp_retcode = PAM_CONV_ERR;
|
||||
+ code = PAM_CONV_ERR;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ *presp = resp;
|
||||
+ return code;
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_non_interactive_converse(int num_msg,
|
||||
+ const struct pam_message **msg,
|
||||
+ struct pam_response **presp,
|
||||
+ void *appdata_ptr)
|
||||
+{
|
||||
+ const struct pam_message *message;
|
||||
+ struct pam_response *resp;
|
||||
+ int i, code;
|
||||
+ unsigned int pwsize;
|
||||
+ struct appl_pam_non_interactive_args *args;
|
||||
+ const char *pwstring;
|
||||
+ resp = malloc(sizeof(struct pam_response) * num_msg);
|
||||
+ if (resp == NULL) {
|
||||
+ return PAM_BUF_ERR;
|
||||
+ }
|
||||
+ args = appdata_ptr;
|
||||
+ memset(resp, 0, sizeof(struct pam_response) * num_msg);
|
||||
+ code = PAM_SUCCESS;
|
||||
+ for (i = 0; i < num_msg; i++) {
|
||||
+ message = &((*msg)[i]);
|
||||
+ message = msg[i];
|
||||
+ pwstring = NULL;
|
||||
+ switch (message->msg_style) {
|
||||
+ case PAM_TEXT_INFO:
|
||||
+ case PAM_ERROR_MSG:
|
||||
+ break;
|
||||
+ case PAM_PROMPT_ECHO_ON:
|
||||
+ case PAM_PROMPT_ECHO_OFF:
|
||||
+ if (message->msg_style == PAM_PROMPT_ECHO_ON) {
|
||||
+ /* assume "user" */
|
||||
+ pwstring = args->user;
|
||||
+ } else {
|
||||
+ /* assume "password" */
|
||||
+ pwstring = args->password;
|
||||
+ }
|
||||
+ if ((pwstring != NULL) && (pwstring[0] != '\0')) {
|
||||
+ pwsize = strlen(pwstring);
|
||||
+ resp[i].resp = malloc(pwsize + 1);
|
||||
+ if (resp[i].resp == NULL) {
|
||||
+ resp[i].resp_retcode = PAM_BUF_ERR;
|
||||
+ } else {
|
||||
+ memcpy(resp[i].resp, pwstring, pwsize);
|
||||
+ resp[i].resp[pwsize] = '\0';
|
||||
+ resp[i].resp_retcode = PAM_SUCCESS;
|
||||
+ }
|
||||
+ } else {
|
||||
+ resp[i].resp_retcode = PAM_CONV_ERR;
|
||||
+ code = PAM_CONV_ERR;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ *presp = resp;
|
||||
+ return code;
|
||||
+}
|
||||
+static int
|
||||
+appl_pam_start(const char *service, int interactive,
|
||||
+ const char *login_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty)
|
||||
+{
|
||||
+ static int exit_handler_registered;
|
||||
+ static struct appl_pam_non_interactive_args args;
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started &&
|
||||
+ (strcmp(login_username, appl_pam_user) != 0)) {
|
||||
+ appl_pam_cleanup();
|
||||
+ appl_pam_user = NULL;
|
||||
+ }
|
||||
+ if (!appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n",
|
||||
+ service, login_username);
|
||||
+#endif
|
||||
+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv));
|
||||
+ appl_pam_conv.conv = interactive ?
|
||||
+ &appl_pam_interactive_converse :
|
||||
+ &appl_pam_non_interactive_converse;
|
||||
+ memset(&args, 0, sizeof(args));
|
||||
+ args.user = strdup(login_username);
|
||||
+ args.password = non_interactive_password ?
|
||||
+ strdup(non_interactive_password) :
|
||||
+ NULL;
|
||||
+ appl_pam_conv.appdata_ptr = &args;
|
||||
+ ret = pam_start(service, login_username,
|
||||
+ &appl_pam_conv, &appl_pamh);
|
||||
+ if (ret == 0) {
|
||||
+ if (hostname != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_RHOST to \"%s\".\n", hostname);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_RHOST, hostname);
|
||||
+ }
|
||||
+ if (ruser != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_RUSER to \"%s\".\n", ruser);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_RUSER, ruser);
|
||||
+ }
|
||||
+ if (tty != NULL) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting PAM_TTY to \"%s\".\n", tty);
|
||||
+#endif
|
||||
+ pam_set_item(appl_pamh, PAM_TTY, tty);
|
||||
+ }
|
||||
+ if (!exit_handler_registered &&
|
||||
+ (atexit(appl_pam_cleanup) != 0)) {
|
||||
+ pam_end(appl_pamh, 0);
|
||||
+ appl_pamh = NULL;
|
||||
+ ret = -1;
|
||||
+ } else {
|
||||
+ appl_pam_started = 1;
|
||||
+ appl_pam_starter = getpid();
|
||||
+ appl_pam_user = strdup(login_username);
|
||||
+ exit_handler_registered = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_acct_mgmt(const char *service, int interactive,
|
||||
+ const char *login_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty)
|
||||
+{
|
||||
+ int ret;
|
||||
+ appl_pam_pwchange_required = 0;
|
||||
+ ret = appl_pam_start(service, interactive, login_username,
|
||||
+ non_interactive_password, hostname, ruser, tty);
|
||||
+ if (ret == 0) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Calling pam_acct_mgmt().\n");
|
||||
+#endif
|
||||
+ ret = pam_acct_mgmt(appl_pamh, 0);
|
||||
+ switch (ret) {
|
||||
+ case PAM_IGNORE:
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ case PAM_NEW_AUTHTOK_REQD:
|
||||
+ appl_pam_pwchange_required = 1;
|
||||
+ ret = 0;
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_requires_chauthtok(void)
|
||||
+{
|
||||
+ return appl_pam_pwchange_required;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_session_open(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Opening PAM session.\n");
|
||||
+#endif
|
||||
+ ret = pam_open_session(appl_pamh, 0);
|
||||
+ if (ret == 0) {
|
||||
+ appl_pam_session_opened = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_setenv(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+#ifdef HAVE_PAM_GETENVLIST
|
||||
+#ifdef HAVE_PUTENV
|
||||
+ int i;
|
||||
+ char **list;
|
||||
+ if (appl_pam_started) {
|
||||
+ list = pam_getenvlist(appl_pamh);
|
||||
+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Setting \"%s\" in environment.\n", list[i]);
|
||||
+#endif
|
||||
+ putenv(list[i]);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+#endif
|
||||
+ return ret;
|
||||
+}
|
||||
+int
|
||||
+appl_pam_cred_init(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ if (appl_pam_started) {
|
||||
+#ifdef DEBUG
|
||||
+ printf("Initializing PAM credentials.\n");
|
||||
+#endif
|
||||
+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED);
|
||||
+ if (ret == 0) {
|
||||
+ appl_pam_creds_initialized = 1;
|
||||
+ }
|
||||
+ }
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
diff -up krb5-1.8/src/clients/ksu/pam.h.pam krb5-1.8/src/clients/ksu/pam.h
|
||||
--- krb5-1.8/src/clients/ksu/pam.h.pam 2010-03-05 10:48:08.000000000 -0500
|
||||
+++ krb5-1.8/src/clients/ksu/pam.h 2010-03-05 10:48:08.000000000 -0500
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * src/clients/ksu/pam.h
|
||||
+ *
|
||||
+ * Copyright 2007,2009,2010 Red Hat, Inc.
|
||||
+ *
|
||||
+ * All Rights Reserved.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions are met:
|
||||
+ *
|
||||
+ * Redistributions of source code must retain the above copyright notice, this
|
||||
+ * list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * Redistributions in binary form must reproduce the above copyright notice,
|
||||
+ * this list of conditions and the following disclaimer in the documentation
|
||||
+ * and/or other materials provided with the distribution.
|
||||
+ *
|
||||
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
|
||||
+ * used to endorse or promote products derived from this software without
|
||||
+ * specific prior written permission.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
||||
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||||
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||||
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||||
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
+ * POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Convenience wrappers for using PAM.
|
||||
+ */
|
||||
+
|
||||
+#include <krb5.h>
|
||||
+#ifdef HAVE_SECURITY_PAM_APPL_H
|
||||
+#include <security/pam_appl.h>
|
||||
+#endif
|
||||
+
|
||||
+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam"
|
||||
+
|
||||
+#ifdef USE_PAM
|
||||
+int appl_pam_enabled(krb5_context context, const char *section);
|
||||
+int appl_pam_acct_mgmt(const char *service, int interactive,
|
||||
+ const char *local_username,
|
||||
+ const char *non_interactive_password,
|
||||
+ const char *hostname,
|
||||
+ const char *ruser,
|
||||
+ const char *tty);
|
||||
+int appl_pam_requires_chauthtok(void);
|
||||
+int appl_pam_session_open(void);
|
||||
+int appl_pam_setenv(void);
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff -up krb5-1.8/src/configure.in.pam krb5-1.8/src/configure.in
|
||||
--- krb5-1.8/src/configure.in.pam 2009-12-31 18:13:56.000000000 -0500
|
||||
+++ krb5-1.8/src/configure.in 2010-03-05 10:48:08.000000000 -0500
|
||||
@@ -1051,6 +1051,8 @@ if test "$ac_cv_lib_socket" = "yes" -a "
|
||||
AC_DEFINE(BROKEN_STREAMS_SOCKETS,1,[Define if socket can't be bound to 0.0.0.0])
|
||||
fi
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
+
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
@ -31,9 +31,9 @@ The selabel APIs for looking up the context should be thread-safe (per
|
||||
Red Hat #273081), so switching to using them instead of matchpathcon(),
|
||||
which we used earlier, is some improvement.
|
||||
|
||||
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
--- krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400
|
||||
+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4
|
||||
--- krb5-1.8/src/aclocal.m4.selinux-label 2010-03-05 10:57:23.000000000 -0500
|
||||
+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
|
||||
dnl
|
||||
KRB5_AC_PRAGMA_WEAK_REF
|
||||
@ -42,7 +42,7 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
KRB5_LIB_PARAMS
|
||||
KRB5_AC_INITFINI
|
||||
KRB5_AC_ENABLE_THREADS
|
||||
@@ -1876,3 +1877,53 @@ AC_SUBST(PAM_LIBS)
|
||||
@@ -1791,3 +1792,53 @@ AC_SUBST(manlocalstatedir)
|
||||
AC_SUBST(manlibexecdir)
|
||||
AC_CONFIG_FILES($1)
|
||||
])
|
||||
@ -96,51 +96,18 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
+LIBS="$old_LIBS"
|
||||
+AC_SUBST(SELINUX_LIBS)
|
||||
+])dnl
|
||||
diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in
|
||||
--- krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -25,6 +25,7 @@ AC_CHECK_LIB(odm,main,
|
||||
LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
|
||||
)))
|
||||
KRB5_WITH_PAM
|
||||
+KRB5_WITH_SELINUX
|
||||
dnl
|
||||
dnl Make our operating system-specific security checks and definitions for
|
||||
dnl login.
|
||||
diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in
|
||||
--- krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -18,6 +18,7 @@ AC_REPLACE_FUNCS(getdtablesize)
|
||||
AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
|
||||
AC_CHECK_LIB(crypt,crypt) dnl
|
||||
KRB5_WITH_PAM
|
||||
+KRB5_WITH_SELINUX
|
||||
KRB5_AC_LIBUTIL
|
||||
dnl
|
||||
dnl copied from appl/bsd/configure.in
|
||||
diff -up krb5-1.7/src/appl/telnet/configure.in krb5-1.7/src/appl/telnet/configure.in
|
||||
--- krb5-1.7/src/appl/telnet/configure.in 2008-12-15 15:31:53.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/telnet/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -151,6 +151,7 @@ AC_MSG_RESULT($krb5_cv_sys_setpgrp_two)
|
||||
if test $krb5_cv_sys_setpgrp_two = yes; then
|
||||
AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments])
|
||||
fi
|
||||
+KRB5_WITH_SELINUX
|
||||
dnl
|
||||
KRB5_NEED_PROTO([#include <stdlib.h>],unsetenv,1)
|
||||
dnl KRB5_NEED_PROTO([#include <stdlib.h>],setenv,1)
|
||||
diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
|
||||
--- krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400
|
||||
+++ krb5-1.7/src/config/pre.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -182,6 +182,7 @@ LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX
|
||||
diff -up krb5-1.8/src/config/pre.in.selinux-label krb5-1.8/src/config/pre.in
|
||||
--- krb5-1.8/src/config/pre.in.selinux-label 2010-03-05 10:57:23.000000000 -0500
|
||||
+++ krb5-1.8/src/config/pre.in 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
|
||||
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
||||
LDARGS = @LDARGS@
|
||||
LIBS = @LIBS@
|
||||
PAM_LIBS = @PAM_LIBS@
|
||||
+SELINUX_LIBS=@SELINUX_LIBS@
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
@@ -382,7 +383,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
|
||||
# HESIOD_LIBS is -lhesiod...
|
||||
HESIOD_LIBS = @HESIOD_LIBS@
|
||||
|
||||
@ -149,10 +116,10 @@ diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
|
||||
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
|
||||
GSS_LIBS = $(GSS_KRB5_LIB)
|
||||
# needs fixing if ever used on Mac OS X!
|
||||
diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
|
||||
--- krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
+++ krb5-1.7/src/configure.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -1042,6 +1042,8 @@ AC_CONFIG_SUBDIRS(appl/libpty appl/bsd a
|
||||
diff -up krb5-1.8/src/configure.in.selinux-label krb5-1.8/src/configure.in
|
||||
--- krb5-1.8/src/configure.in.selinux-label 2010-03-05 10:57:23.000000000 -0500
|
||||
+++ krb5-1.8/src/configure.in 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -1053,6 +1053,8 @@ fi
|
||||
|
||||
KRB5_WITH_PAM
|
||||
|
||||
@ -161,47 +128,10 @@ diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
|
||||
V5_AC_OUTPUT_MANPAGE([
|
||||
diff -up krb5-1.7/src/include/autoconf.h.in krb5-1.7/src/include/autoconf.h.in
|
||||
--- krb5-1.7/src/include/autoconf.h.in 2009-06-01 20:58:35.000000000 -0400
|
||||
+++ krb5-1.7/src/include/autoconf.h.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -389,6 +389,12 @@
|
||||
/* Define to 1 if you have the `sched_yield' function. */
|
||||
#undef HAVE_SCHED_YIELD
|
||||
|
||||
+/* Define to 1 if you have the <selinux/label.h> header file. */
|
||||
+#undef HAVE_SELINUX_LABEL_H
|
||||
+
|
||||
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
|
||||
+#undef HAVE_SELINUX_SELINUX_H
|
||||
+
|
||||
/* Define to 1 if you have the <semaphore.h> header file. */
|
||||
#undef HAVE_SEMAPHORE_H
|
||||
|
||||
@@ -401,6 +407,9 @@
|
||||
/* Define to 1 if you have the `setegid' function. */
|
||||
#undef HAVE_SETEGID
|
||||
|
||||
+/* Define to 1 if you have the `setfscreatecon' function. */
|
||||
+#undef HAVE_SETFSCREATECON
|
||||
+
|
||||
/* Define to 1 if you have the `setenv' function. */
|
||||
#undef HAVE_SETENV
|
||||
|
||||
@@ -768,6 +777,10 @@
|
||||
/* Define if the KDC should use a replay cache */
|
||||
#undef USE_RCACHE
|
||||
|
||||
+/* Define if Kerberos-aware tools should set SELinux file contexts when
|
||||
+ creating files. */
|
||||
+#undef USE_SELINUX
|
||||
+
|
||||
/* Define if sigprocmask should be used */
|
||||
#undef USE_SIGPROCMASK
|
||||
|
||||
diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h
|
||||
--- krb5-1.7/src/include/k5-int.h 2009-05-11 16:56:53.000000000 -0400
|
||||
+++ krb5-1.7/src/include/k5-int.h 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -132,6 +132,7 @@ typedef unsigned char u_char;
|
||||
diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int.h
|
||||
--- krb5-1.8/src/include/k5-int.h.selinux-label 2010-01-04 14:59:16.000000000 -0500
|
||||
+++ krb5-1.8/src/include/k5-int.h 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -133,6 +133,7 @@ typedef unsigned char u_char;
|
||||
typedef UINT64_TYPE krb5_ui_8;
|
||||
typedef INT64_TYPE krb5_int64;
|
||||
|
||||
@ -209,16 +139,19 @@ diff -up krb5-1.7/src/include/k5-int.h krb5-1.7/src/include/k5-int.h
|
||||
|
||||
#define DEFAULT_PWD_STRING1 "Enter password"
|
||||
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
||||
diff -up /dev/null krb5-1.7/src/include/k5-label.h
|
||||
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
|
||||
+++ krb5-1.7/src/include/k5-label.h 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -0,0 +1,27 @@
|
||||
diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h
|
||||
--- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500
|
||||
+++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -0,0 +1,30 @@
|
||||
+#ifndef _KRB5_LABEL_H
|
||||
+#define _KRB5_LABEL_H
|
||||
+
|
||||
+#ifdef THREEPARAMOPEN
|
||||
+#undef THREEPARAMOPEN
|
||||
+#endif
|
||||
+#ifdef WRITABLEFOPEN
|
||||
+#undef WRITABLEFOPEN
|
||||
+#endif
|
||||
+
|
||||
+/* Wrapper functions which help us create files and directories with the right
|
||||
+ * context labels. */
|
||||
@ -240,9 +173,9 @@ diff -up /dev/null krb5-1.7/src/include/k5-label.h
|
||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
+#endif
|
||||
+#endif
|
||||
diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin
|
||||
--- krb5-1.7/src/include/krb5/krb5.hin 2009-04-15 16:07:03.000000000 -0400
|
||||
+++ krb5-1.7/src/include/krb5/krb5.hin 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/include/krb5/krb5.hin.selinux-label krb5-1.8/src/include/krb5/krb5.hin
|
||||
--- krb5-1.8/src/include/krb5/krb5.hin.selinux-label 2010-01-21 17:49:07.000000000 -0500
|
||||
+++ krb5-1.8/src/include/krb5/krb5.hin 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -87,6 +87,12 @@
|
||||
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||
#endif
|
||||
@ -256,10 +189,10 @@ diff -up krb5-1.7/src/include/krb5/krb5.hin krb5-1.7/src/include/krb5/krb5.hin
|
||||
#define KRB5_OLD_CRYPTO
|
||||
|
||||
#include <stdlib.h>
|
||||
diff -up krb5-1.7/src/kadmin/dbutil/dump.c krb5-1.7/src/kadmin/dbutil/dump.c
|
||||
--- krb5-1.7/src/kadmin/dbutil/dump.c 2009-01-30 18:55:14.000000000 -0500
|
||||
+++ krb5-1.7/src/kadmin/dbutil/dump.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -1219,7 +1219,7 @@ dump_db(argc, argv)
|
||||
diff -up krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label krb5-1.8/src/kadmin/dbutil/dump.c
|
||||
--- krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/kadmin/dbutil/dump.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -1274,7 +1274,7 @@ dump_db(argc, argv)
|
||||
* want to get into.
|
||||
*/
|
||||
unlink(ofile);
|
||||
@ -268,9 +201,9 @@ diff -up krb5-1.7/src/kadmin/dbutil/dump.c krb5-1.7/src/kadmin/dbutil/dump.c
|
||||
fprintf(stderr, ofopen_error,
|
||||
progname, ofile, error_message(errno));
|
||||
exit_status++;
|
||||
diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
|
||||
--- krb5-1.7/src/krb5-config.in 2008-12-18 13:31:16.000000000 -0500
|
||||
+++ krb5-1.7/src/krb5-config.in 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/krb5-config.in.selinux-label krb5-1.8/src/krb5-config.in
|
||||
--- krb5-1.8/src/krb5-config.in.selinux-label 2010-01-21 17:49:01.000000000 -0500
|
||||
+++ krb5-1.8/src/krb5-config.in 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
|
||||
PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@'
|
||||
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
|
||||
@ -288,10 +221,10 @@ diff -up krb5-1.7/src/krb5-config.in krb5-1.7/src/krb5-config.in
|
||||
fi
|
||||
|
||||
echo $lib_flags
|
||||
diff -up krb5-1.7/src/lib/kadm5/logger.c krb5-1.7/src/lib/kadm5/logger.c
|
||||
--- krb5-1.7/src/lib/kadm5/logger.c 2008-12-29 18:01:15.000000000 -0500
|
||||
+++ krb5-1.7/src/lib/kadm5/logger.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -421,7 +421,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
diff -up krb5-1.8/src/lib/kadm5/logger.c.selinux-label krb5-1.8/src/lib/kadm5/logger.c
|
||||
--- krb5-1.8/src/lib/kadm5/logger.c.selinux-label 2009-12-28 21:42:51.000000000 -0500
|
||||
+++ krb5-1.8/src/lib/kadm5/logger.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
|
||||
* Check for append/overwrite, then open the file.
|
||||
*/
|
||||
if (cp[4] == ':' || cp[4] == '=') {
|
||||
@ -300,7 +233,7 @@ diff -up krb5-1.7/src/lib/kadm5/logger.c krb5-1.7/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[i].lfu_filep = f;
|
||||
@@ -954,7 +954,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
|
||||
* In case the old logfile did not get moved out of the
|
||||
* way, open for append to prevent squashing the old logs.
|
||||
*/
|
||||
@ -309,10 +242,10 @@ diff -up krb5-1.7/src/lib/kadm5/logger.c krb5-1.7/src/lib/kadm5/logger.c
|
||||
if (f) {
|
||||
set_cloexec_file(f);
|
||||
log_control.log_entries[lindex].lfu_filep = f;
|
||||
diff -up krb5-1.7/src/lib/krb5/keytab/kt_file.c krb5-1.7/src/lib/krb5/keytab/kt_file.c
|
||||
--- krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-05-11 16:55:22.000000000 -0400
|
||||
+++ krb5-1.7/src/lib/krb5/keytab/kt_file.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -1094,7 +1094,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
diff -up krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label krb5-1.8/src/lib/krb5/keytab/kt_file.c
|
||||
--- krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label 2009-11-10 14:59:39.000000000 -0500
|
||||
+++ krb5-1.8/src/lib/krb5/keytab/kt_file.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
|
||||
KTCHECKLOCK(id);
|
||||
errno = 0;
|
||||
@ -321,7 +254,7 @@ diff -up krb5-1.7/src/lib/krb5/keytab/kt_file.c krb5-1.7/src/lib/krb5/keytab/kt_
|
||||
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
|
||||
fopen_mode_rbplus : fopen_mode_rb);
|
||||
if (!KTFILEP(id)) {
|
||||
@@ -1102,7 +1102,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
|
||||
/* try making it first time around */
|
||||
krb5_create_secure_file(context, KTFILENAME(id));
|
||||
errno = 0;
|
||||
@ -330,10 +263,10 @@ diff -up krb5-1.7/src/lib/krb5/keytab/kt_file.c krb5-1.7/src/lib/krb5/keytab/kt_
|
||||
if (!KTFILEP(id))
|
||||
goto report_errno;
|
||||
writevno = 1;
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/adb_openclose.c krb5-1.7/src/plugins/kdb/db2/adb_openclose.c
|
||||
--- krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2007-10-22 15:18:53.000000000 -0400
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/adb_openclose.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -198,7 +198,7 @@ krb5_error_code osa_adb_init_db(osa_adb_
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label krb5-1.8/src/plugins/kdb/db2/adb_openclose.c
|
||||
--- krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label 2009-11-24 18:52:25.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/adb_openclose.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
|
||||
* POSIX systems
|
||||
*/
|
||||
lockp->lockinfo.filename = strdup(lockfilename);
|
||||
@ -342,10 +275,10 @@ diff -up krb5-1.7/src/plugins/kdb/db2/adb_openclose.c krb5-1.7/src/plugins/kdb/d
|
||||
/*
|
||||
* maybe someone took away write permission so we could only
|
||||
* get shared locks?
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb_db2.c
|
||||
--- krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-01-30 20:07:04.000000000 -0500
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/kdb_db2.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -327,8 +327,8 @@ krb5_db2_db_init(krb5_context context)
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label krb5-1.8/src/plugins/kdb/db2/kdb_db2.c
|
||||
--- krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label 2009-11-25 09:36:05.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/kdb_db2.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -326,8 +326,8 @@ krb5_db2_db_init(krb5_context context)
|
||||
* should be opened read/write so that write locking can work with
|
||||
* POSIX systems
|
||||
*/
|
||||
@ -356,7 +289,7 @@ diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb
|
||||
retval = errno;
|
||||
goto err_out;
|
||||
}
|
||||
@@ -754,7 +754,7 @@ krb5_db2_db_create(krb5_context context,
|
||||
@@ -745,7 +745,7 @@ krb5_db2_db_create(krb5_context context,
|
||||
if (!okname)
|
||||
retval = ENOMEM;
|
||||
else {
|
||||
@ -365,7 +298,7 @@ diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb
|
||||
if (fd < 0)
|
||||
retval = errno;
|
||||
else
|
||||
@@ -1795,7 +1795,7 @@ krb5_db2_db_rename(context, from, to)
|
||||
@@ -1925,7 +1925,7 @@ krb5_db2_db_rename(context, from, to, me
|
||||
retval = ENOMEM;
|
||||
goto errout;
|
||||
}
|
||||
@ -374,9 +307,9 @@ diff -up krb5-1.7/src/plugins/kdb/db2/kdb_db2.c krb5-1.7/src/plugins/kdb/db2/kdb
|
||||
if (db_ctx->db_lf_file < 0) {
|
||||
retval = errno;
|
||||
goto errout;
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
--- krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-10-22 15:18:53.000000000 -0400
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c
|
||||
--- krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
|
||||
|
||||
#include "k5-platform.h" /* mkstemp? */
|
||||
@ -394,9 +327,9 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.7/src/plugin
|
||||
goto err;
|
||||
|
||||
} else {
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
--- krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-01-23 13:04:08.000000000 -0500
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c
|
||||
--- krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label 2009-10-30 20:48:38.000000000 -0400
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
|
||||
#include <assert.h>
|
||||
#endif
|
||||
@ -414,9 +347,9 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.7/src/plugins/kd
|
||||
RETURN_ERROR(errno, error0);
|
||||
(void)fcntl(hashp->fp, F_SETFD, 1);
|
||||
}
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
--- krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-10-22 15:18:53.000000000 -0400
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c
|
||||
--- krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label 2007-10-22 15:18:53.000000000 -0400
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
@ -434,10 +367,10 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.7/src/plugi
|
||||
return (NULL);
|
||||
|
||||
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
|
||||
diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
--- krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2008-08-25 19:08:16.000000000 -0400
|
||||
+++ krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
||||
diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in
|
||||
--- krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label 2009-11-22 13:13:29.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
KRB5_RUN_ENV= @KRB5_RUN_ENV@
|
||||
|
||||
@ -447,10 +380,10 @@ diff -up krb5-1.7/src/plugins/kdb/db2/libdb2/test/Makefile.in krb5-1.7/src/plugi
|
||||
DB_DEPLIB = ../libdb$(DEPLIBEXT)
|
||||
|
||||
all::
|
||||
diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
--- krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-12-01 12:09:59.000000000 -0500
|
||||
+++ krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -1096,7 +1096,7 @@ rem_service_entry_from_file(argc, argv,
|
||||
diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
|
||||
--- krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label 2009-11-24 18:52:25.000000000 -0500
|
||||
+++ krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -1091,7 +1091,7 @@
|
||||
|
||||
/* Create a temporary file which contains all the entries except the
|
||||
entry for the given service dn */
|
||||
@ -459,7 +392,7 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "while deleting entry from file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1113,7 +1113,7 @@ rem_service_entry_from_file(argc, argv,
|
||||
@@ -1108,7 +1108,7 @@
|
||||
snprintf (tmp_file, strlen(file_name) + 4 + 1, "%s%s", file_name, ".tmp");
|
||||
|
||||
|
||||
@ -468,7 +401,16 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
umask(omask);
|
||||
if (tmpfd == -1) {
|
||||
com_err(me, errno, "while deleting entry from file\n");
|
||||
@@ -1767,7 +1767,7 @@ kdb5_ldap_set_service_password(argc, arg
|
||||
@@ -1728,7 +1728,7 @@
|
||||
|
||||
printf("File does not exist. Creating the file %s...\n", file_name);
|
||||
omask = umask(077);
|
||||
- fd = creat(file_name, S_IRUSR|S_IWUSR);
|
||||
+ fd = THREEPARAMOPEN(file_name, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
|
||||
umask(omask);
|
||||
if (fd == -1) {
|
||||
com_err(me, errno, "Error creating file %s", file_name);
|
||||
@@ -1756,7 +1756,7 @@
|
||||
|
||||
/* TODO: file lock for the service password file */
|
||||
/* set password in the file */
|
||||
@ -477,7 +419,7 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "Failed to open file %s", file_name);
|
||||
goto cleanup;
|
||||
@@ -1808,7 +1808,7 @@ kdb5_ldap_set_service_password(argc, arg
|
||||
@@ -1797,7 +1797,7 @@
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -486,7 +428,7 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
umask(omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||
@@ -2032,7 +2032,7 @@ done:
|
||||
@@ -2019,7 +2019,7 @@
|
||||
|
||||
/* set password in the file */
|
||||
old_mode = umask(0177);
|
||||
@ -495,7 +437,7 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
if (pfile == NULL) {
|
||||
com_err(me, errno, "Failed to open file %s: %s", file_name,
|
||||
strerror (errno));
|
||||
@@ -2082,7 +2082,7 @@ done:
|
||||
@@ -2069,7 +2069,7 @@
|
||||
}
|
||||
|
||||
omask = umask(077);
|
||||
@ -504,10 +446,10 @@ diff -up krb5-1.7/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c krb5-1.7/s
|
||||
umask (omask);
|
||||
if (newfile == NULL) {
|
||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||
diff -up krb5-1.7/src/slave/kpropd.c krb5-1.7/src/slave/kpropd.c
|
||||
--- krb5-1.7/src/slave/kpropd.c 2008-12-30 00:45:06.000000000 -0500
|
||||
+++ krb5-1.7/src/slave/kpropd.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -346,7 +346,7 @@ retry:
|
||||
diff -up krb5-1.8/src/slave/kpropd.c.selinux-label krb5-1.8/src/slave/kpropd.c
|
||||
--- krb5-1.8/src/slave/kpropd.c.selinux-label 2009-12-31 17:25:11.000000000 -0500
|
||||
+++ krb5-1.8/src/slave/kpropd.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -328,7 +328,7 @@ retry:
|
||||
if (!debug && iproprole != IPROP_SLAVE)
|
||||
daemon(1, 0);
|
||||
#ifdef PID_FILE
|
||||
@ -516,10 +458,10 @@ diff -up krb5-1.7/src/slave/kpropd.c krb5-1.7/src/slave/kpropd.c
|
||||
fprintf(pidfile, "%d\n", getpid());
|
||||
fclose(pidfile);
|
||||
} else
|
||||
diff -up krb5-1.7/src/util/profile/prof_file.c krb5-1.7/src/util/profile/prof_file.c
|
||||
--- krb5-1.7/src/util/profile/prof_file.c 2008-11-05 11:19:01.000000000 -0500
|
||||
+++ krb5-1.7/src/util/profile/prof_file.c 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -29,6 +29,7 @@
|
||||
diff -up krb5-1.8/src/util/profile/prof_file.c.selinux-label krb5-1.8/src/util/profile/prof_file.c
|
||||
--- krb5-1.8/src/util/profile/prof_file.c.selinux-label 2009-12-27 19:21:20.000000000 -0500
|
||||
+++ krb5-1.8/src/util/profile/prof_file.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -30,6 +30,7 @@
|
||||
#endif
|
||||
|
||||
#include "k5-platform.h"
|
||||
@ -527,7 +469,7 @@ diff -up krb5-1.7/src/util/profile/prof_file.c krb5-1.7/src/util/profile/prof_fi
|
||||
|
||||
struct global_shared_profile_data {
|
||||
/* This is the head of the global list of shared trees */
|
||||
@@ -422,7 +423,7 @@ static errcode_t write_data_to_file(prf_
|
||||
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
|
||||
|
||||
errno = 0;
|
||||
|
||||
@ -536,10 +478,10 @@ diff -up krb5-1.7/src/util/profile/prof_file.c krb5-1.7/src/util/profile/prof_fi
|
||||
if (!f) {
|
||||
retval = errno;
|
||||
if (retval == 0)
|
||||
diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefile.in
|
||||
--- krb5-1.7/src/util/support/Makefile.in 2009-01-05 15:27:53.000000000 -0500
|
||||
+++ krb5-1.7/src/util/support/Makefile.in 2009-06-04 13:47:20.000000000 -0400
|
||||
@@ -38,6 +38,7 @@ PRINTF_OBJ= @PRINTF_OBJ@
|
||||
diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/support/Makefile.in
|
||||
--- krb5-1.8/src/util/support/Makefile.in.selinux-label 2009-11-23 20:25:10.000000000 -0500
|
||||
+++ krb5-1.8/src/util/support/Makefile.in 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -54,6 +54,7 @@ IPC_SYMS= \
|
||||
|
||||
STLIBOBJS= \
|
||||
threads.o \
|
||||
@ -547,7 +489,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
|
||||
init-addrinfo.o \
|
||||
plugins.o \
|
||||
errors.o \
|
||||
@@ -86,7 +87,7 @@ SRCS=\
|
||||
@@ -108,7 +109,7 @@ SRCS=\
|
||||
|
||||
SHLIB_EXPDEPS =
|
||||
# Add -lm if dumping thread stats, for sqrt.
|
||||
@ -556,9 +498,9 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
|
||||
SHLIB_DIRS=
|
||||
SHLIB_RDIRS=$(KRB5_LIBDIR)
|
||||
|
||||
diff -up /dev/null krb5-1.7/src/util/support/selinux.c
|
||||
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
|
||||
+++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400
|
||||
diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c
|
||||
--- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500
|
||||
+++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500
|
||||
@@ -0,0 +1,346 @@
|
||||
+/*
|
||||
+ * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved.
|
@ -3,10 +3,10 @@ neither end is reading. This is a port of a patch which aims to solve that
|
||||
problem, but for now it's incomplete because we don't handle partial writes. A
|
||||
proper non-blocking implementation would require a bit more work.
|
||||
|
||||
diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h
|
||||
--- krb5-1.7/src/appl/bsd/defines.h 2008-12-15 15:29:01.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/bsd/defines.h 2009-06-04 14:18:48.000000000 -0400
|
||||
@@ -34,6 +34,7 @@ extern int kcmd (int *sock, char **ahost
|
||||
diff -up krb5-appl-1.0/bsd/defines.h.io krb5-appl-1.0/bsd/defines.h
|
||||
--- krb5-appl-1.0/bsd/defines.h.io 2009-11-16 05:27:04.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/defines.h 2010-03-05 11:00:06.000000000 -0500
|
||||
@@ -36,6 +36,7 @@ extern int kcmd (int *sock, char **ahost
|
||||
enum kcmd_proto *protonum /* input and output */
|
||||
);
|
||||
|
||||
@ -14,10 +14,10 @@ diff -up krb5-1.7/src/appl/bsd/defines.h krb5-1.7/src/appl/bsd/defines.h
|
||||
extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary);
|
||||
extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary);
|
||||
extern int getport (int * /* portnum */, int * /* addrfamily */);
|
||||
diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
|
||||
--- krb5-1.7/src/appl/bsd/kcmd.c 2009-04-15 16:07:15.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/kcmd.c 2009-06-04 14:18:48.000000000 -0400
|
||||
@@ -686,6 +686,11 @@ void rcmd_stream_init_normal()
|
||||
diff -up krb5-appl-1.0/bsd/kcmd.c.io krb5-appl-1.0/bsd/kcmd.c
|
||||
--- krb5-appl-1.0/bsd/kcmd.c.io 2009-11-16 05:27:04.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/kcmd.c 2010-03-05 11:00:06.000000000 -0500
|
||||
@@ -767,6 +767,11 @@ void rcmd_stream_init_normal()
|
||||
output = twrite;
|
||||
}
|
||||
|
||||
@ -29,8 +29,8 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
|
||||
void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client,
|
||||
protonum)
|
||||
krb5_keyblock *in_keyblock;
|
||||
@@ -846,7 +851,8 @@ static int v5_des_read(fd, buf, len, sec
|
||||
cc = krb5_net_read(bsd_context, fd, &c, 1);
|
||||
@@ -927,7 +932,8 @@ static int v5_des_read(fd, buf, len, sec
|
||||
cc = full_read(fd, &c, 1);
|
||||
/* we should check for non-blocking here, but we'd have
|
||||
to make it save partial reads as well. */
|
||||
- if (cc <= 0) return cc; /* read error */
|
||||
@ -39,10 +39,10 @@ diff -up krb5-1.7/src/appl/bsd/kcmd.c krb5-1.7/src/appl/bsd/kcmd.c
|
||||
if (cc == 1) {
|
||||
if (c == 0 || !do_lencheck) break;
|
||||
}
|
||||
diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
|
||||
--- krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:47.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/krsh.c 2009-06-04 14:18:48.000000000 -0400
|
||||
@@ -115,10 +115,11 @@ main(argc, argv0)
|
||||
diff -up krb5-appl-1.0/bsd/krsh.c.io krb5-appl-1.0/bsd/krsh.c
|
||||
--- krb5-appl-1.0/bsd/krsh.c.io 2010-03-05 11:00:05.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/krsh.c 2010-03-05 11:00:06.000000000 -0500
|
||||
@@ -117,10 +117,11 @@ main(argc, argv0)
|
||||
char **argv0;
|
||||
{
|
||||
int rem, pid = 0;
|
||||
@ -55,7 +55,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
|
||||
int one = 1;
|
||||
struct servent *sp;
|
||||
struct servent defaultservent;
|
||||
@@ -508,9 +509,14 @@ main(argc, argv0)
|
||||
@@ -510,9 +511,14 @@ main(argc, argv0)
|
||||
FD_ZERO(&readfrom);
|
||||
FD_SET(rfd2, &readfrom);
|
||||
FD_SET(rem, &readfrom);
|
||||
@ -71,7 +71,7 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
|
||||
if (errno != EINTR) {
|
||||
perror("select");
|
||||
exit(1);
|
||||
@@ -518,22 +524,38 @@ main(argc, argv0)
|
||||
@@ -520,22 +526,38 @@ main(argc, argv0)
|
||||
continue;
|
||||
}
|
||||
if (FD_ISSET(rfd2, &ready)) {
|
||||
@ -124,10 +124,10 @@ diff -up krb5-1.7/src/appl/bsd/krsh.c krb5-1.7/src/appl/bsd/krsh.c
|
||||
}
|
||||
} while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom));
|
||||
if (nflag == 0)
|
||||
diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
--- krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:47.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 14:18:48.000000000 -0400
|
||||
@@ -583,7 +583,8 @@ void doit(f, fromp)
|
||||
diff -up krb5-appl-1.0/bsd/krshd.c.io krb5-appl-1.0/bsd/krshd.c
|
||||
--- krb5-appl-1.0/bsd/krshd.c.io 2010-03-05 11:00:05.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 11:00:06.000000000 -0500
|
||||
@@ -585,7 +585,8 @@ void doit(f, fromp)
|
||||
short port;
|
||||
int pv[2], pw[2], px[2], cc;
|
||||
fd_set ready, readfrom;
|
||||
@ -137,7 +137,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
struct sockaddr_storage localaddr;
|
||||
#ifdef POSIX_SIGNALS
|
||||
struct sigaction sa;
|
||||
@@ -1214,6 +1215,10 @@ void doit(f, fromp)
|
||||
@@ -1216,6 +1217,10 @@ void doit(f, fromp)
|
||||
if (pw[0] > maxfd)
|
||||
maxfd = pw[0];
|
||||
|
||||
@ -148,7 +148,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
/* read from f, write to px[1] -- child stdin */
|
||||
/* read from s, signal child */
|
||||
/* read from pv[0], write to s -- child stderr */
|
||||
@@ -1221,36 +1226,47 @@ void doit(f, fromp)
|
||||
@@ -1223,36 +1228,47 @@ void doit(f, fromp)
|
||||
|
||||
do {
|
||||
ready = readfrom;
|
||||
@ -204,7 +204,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
}
|
||||
if (port&&FD_ISSET(s, &ready)) {
|
||||
/* read from the alternate channel, signal the child */
|
||||
@@ -1268,12 +1284,15 @@ void doit(f, fromp)
|
||||
@@ -1270,12 +1286,15 @@ void doit(f, fromp)
|
||||
}
|
||||
}
|
||||
if (FD_ISSET(f, &ready)) {
|
||||
@ -221,7 +221,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
} else {
|
||||
int wcc;
|
||||
wcc = write(px[1], buf, (unsigned) cc);
|
||||
@@ -1281,17 +1300,22 @@ void doit(f, fromp)
|
||||
@@ -1283,17 +1302,22 @@ void doit(f, fromp)
|
||||
/* pipe closed, don't read any more */
|
||||
/* might check for EPIPE */
|
||||
(void) close(px[1]);
|
@ -8,25 +8,254 @@
|
||||
instead of fseek(), which takes a long and might not handle the full
|
||||
range of values.
|
||||
RT#6524
|
||||
Index: krb5/src/appl/gssftp/configure.in
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/configure.in (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/configure.in (working copy)
|
||||
@@ -12,6 +12,9 @@
|
||||
AC_HEADER_STDARG
|
||||
AC_CHECK_HEADER(termios.h,[AC_CHECK_FUNC(cfsetispeed,AC_DEFINE(POSIX_TERMIOS,1,[Define if POSIX termios interface found]))])
|
||||
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/select.h sys/sockio.h paths.h)
|
||||
|
||||
diff -up krb5-appl-1.0/bsd/krcp.c.largefile krb5-appl-1.0/bsd/krcp.c
|
||||
--- krb5-appl-1.0/bsd/krcp.c.largefile 2010-03-05 11:06:23.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/krcp.c 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -748,8 +748,13 @@ void source(argc, argv)
|
||||
continue;
|
||||
}
|
||||
}
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
|
||||
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
|
||||
+#else
|
||||
(void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
|
||||
(int) stb.st_mode&07777, (long ) stb.st_size, last);
|
||||
+#endif
|
||||
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
|
||||
if (response() < 0) {
|
||||
(void) close(f);
|
||||
diff -up krb5-appl-1.0/configure.ac.largefile krb5-appl-1.0/configure.ac
|
||||
--- krb5-appl-1.0/configure.ac.largefile 2010-03-05 11:06:23.000000000 -0500
|
||||
+++ krb5-appl-1.0/configure.ac 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -103,6 +103,10 @@ case $host in
|
||||
;;
|
||||
esac
|
||||
|
||||
+AC_SYS_LARGEFILE
|
||||
+AC_FUNC_FSEEKO
|
||||
+AC_CHECK_TYPES([long long])
|
||||
CHECK_UTMP
|
||||
DECLARE_SYS_ERRLIST
|
||||
AC_REPLACE_FUNCS(getdtablesize)
|
||||
Index: krb5/src/appl/gssftp/ftp/ftp_var.h
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/ftp/ftp_var.h (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/ftp/ftp_var.h (working copy)
|
||||
@@ -46,13 +46,19 @@
|
||||
+AC_TYPE_LONG_LONG_INT
|
||||
+AC_TYPE_UNSIGNED_LONG_LONG_INT
|
||||
AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp)
|
||||
AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
|
||||
AC_CHECK_FUNCS(line_push logwtmp openpty ptsname revoke rmufile rresvport_af)
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile krb5-appl-1.0/gssftp/ftpd/ftpcmd.y
|
||||
--- krb5-appl-1.0/gssftp/ftpd/ftpcmd.y.largefile 2009-11-05 15:15:06.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/ftpcmd.y 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -1499,12 +1499,20 @@ char *filename;
|
||||
(stbuf.st_mode&S_IFMT) != S_IFREG)
|
||||
reply(550, "%s: not a plain file.", filename);
|
||||
else
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ reply(213, "%llu", (long long) stbuf.st_size);
|
||||
+#else
|
||||
reply(213, "%lu", (long) stbuf.st_size);
|
||||
+#endif
|
||||
break;}
|
||||
case TYPE_A: {
|
||||
FILE *fin;
|
||||
register int c;
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ register long long count;
|
||||
+#else
|
||||
register long count;
|
||||
+#endif
|
||||
struct stat stbuf;
|
||||
fin = fopen(filename, "r");
|
||||
if (fin == NULL) {
|
||||
@@ -1526,7 +1534,11 @@ char *filename;
|
||||
}
|
||||
(void) fclose(fin);
|
||||
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ reply(213, "%lld", count);
|
||||
+#else
|
||||
reply(213, "%ld", count);
|
||||
+#endif
|
||||
break;}
|
||||
default:
|
||||
reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile krb5-appl-1.0/gssftp/ftpd/ftpd.c
|
||||
--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.largefile 2010-03-05 11:06:23.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -1205,8 +1205,13 @@ retrieve(cmd, name)
|
||||
done:
|
||||
(*closefunc)(fin);
|
||||
if (logging > 2 && !cmd) {
|
||||
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
|
||||
+ syslog(LOG_NOTICE, "get: %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count);
|
||||
+#else
|
||||
syslog(LOG_NOTICE, "get: %lu bytes transferred",
|
||||
(unsigned long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1252,7 +1257,7 @@ store_file(name, fmode, unique)
|
||||
* because we are changing from reading to
|
||||
* writing.
|
||||
*/
|
||||
- if (fseek(fout, 0L, L_INCR) < 0) {
|
||||
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
|
||||
perror_reply(550, name);
|
||||
goto done;
|
||||
}
|
||||
@@ -1277,8 +1282,13 @@ store_file(name, fmode, unique)
|
||||
done:
|
||||
(*closefunc)(fout);
|
||||
if (logging > 2) {
|
||||
+#ifdef HAVE_UNSIGNED_LONG_LONG_INT
|
||||
+ syslog(LOG_NOTICE, "put: %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count);
|
||||
+#else
|
||||
syslog(LOG_NOTICE, "put: %lu bytes transferred",
|
||||
(unsigned long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1341,8 +1351,13 @@ dataconn(name, size, fmode)
|
||||
byte_count = 0;
|
||||
if (size != (off_t) -1)
|
||||
/* cast size to long in case sizeof(off_t) > sizeof(long) */
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)",
|
||||
+ (long long)size);
|
||||
+#else
|
||||
(void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
|
||||
(long)size);
|
||||
+#endif
|
||||
else
|
||||
sizebuf[0] = '\0';
|
||||
if (pdata >= 0) {
|
||||
@@ -2063,6 +2078,15 @@ myoob(sig)
|
||||
siglongjmp(urgcatch, 1);
|
||||
}
|
||||
if (strcmp(cp, "STAT") == 0) {
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ if (file_size != (off_t) -1)
|
||||
+ reply(213, "Status: %llu of %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count,
|
||||
+ (unsigned long long) file_size);
|
||||
+ else
|
||||
+ reply(213, "Status: %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count);
|
||||
+#else
|
||||
if (file_size != (off_t) -1)
|
||||
reply(213, "Status: %lu of %lu bytes transferred",
|
||||
(unsigned long) byte_count,
|
||||
@@ -2070,6 +2094,7 @@ myoob(sig)
|
||||
else
|
||||
reply(213, "Status: %lu bytes transferred",
|
||||
(unsigned long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile krb5-appl-1.0/gssftp/ftpd/ftpd_var.h
|
||||
--- krb5-appl-1.0/gssftp/ftpd/ftpd_var.h.largefile 2009-11-05 15:15:06.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/ftpd_var.h 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -41,6 +41,12 @@
|
||||
char *radix_error (int);
|
||||
int radix_encode (unsigned char *, unsigned char *, size_t *, int);
|
||||
|
||||
+#ifdef HAVE_FSEEKO
|
||||
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
|
||||
+#else
|
||||
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
|
||||
+#endif
|
||||
+
|
||||
/* ftpd.c */
|
||||
void ack(char *);
|
||||
int auth_data(unsigned char *);
|
||||
diff -up krb5-appl-1.0/gssftp/ftp/ftp.c.largefile krb5-appl-1.0/gssftp/ftp/ftp.c
|
||||
--- krb5-appl-1.0/gssftp/ftp/ftp.c.largefile 2010-03-05 11:06:24.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftp/ftp.c 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -156,7 +156,11 @@ void user_gss_error (OM_uint32, OM_uint3
|
||||
|
||||
static void proxtrans (char *, char *, char *);
|
||||
static int initconn (void);
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+static void ptransfer (char *, long long, struct timeval *, struct timeval *);
|
||||
+#else
|
||||
static void ptransfer (char *, long, struct timeval *, struct timeval *);
|
||||
+#endif
|
||||
static void abort_remote (FILE *);
|
||||
static void tvsub (struct timeval *, struct timeval *, struct timeval *);
|
||||
static char *gunique (char *);
|
||||
@@ -787,7 +791,11 @@ void sendrequest(char *cmd, char *local,
|
||||
FILE *volatile fin, *volatile dout = 0;
|
||||
int (*volatile closefunc)();
|
||||
volatile sig_t oldintr, oldintp;
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ volatile long long bytes = 0, hashbytes = HASHBYTES;
|
||||
+#else
|
||||
volatile long bytes = 0, hashbytes = HASHBYTES;
|
||||
+#endif
|
||||
char *volatile lmode;
|
||||
char buf[FTP_BUFSIZ], *bufp;
|
||||
|
||||
@@ -884,7 +892,7 @@ void sendrequest(char *cmd, char *local,
|
||||
|
||||
if (restart_point &&
|
||||
(strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) {
|
||||
- if (fseek(fin, (long) restart_point, 0) < 0) {
|
||||
+ if (FSEEK(fin, restart_point, 0) < 0) {
|
||||
fprintf(stderr, "local: %s: %s\n", local,
|
||||
strerror(errno));
|
||||
restart_point = 0;
|
||||
@@ -1279,7 +1287,7 @@ void recvrequest(char *cmd, char *volati
|
||||
if (restart_point) {
|
||||
register int i, n, ch;
|
||||
|
||||
- if (fseek(fout, 0L, L_SET) < 0)
|
||||
+ if (FSEEK(fout, 0L, L_SET) < 0)
|
||||
goto done;
|
||||
n = restart_point;
|
||||
for (i = 0; i++ < n;) {
|
||||
@@ -1288,7 +1296,7 @@ void recvrequest(char *cmd, char *volati
|
||||
if (ch == '\n')
|
||||
i++;
|
||||
}
|
||||
- if (fseek(fout, 0L, L_INCR) < 0) {
|
||||
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
|
||||
done:
|
||||
fprintf(stderr, "local: %s: %s\n", local,
|
||||
strerror(errno));
|
||||
@@ -1553,8 +1561,13 @@ dataconn(char *lmode)
|
||||
return (FDOPEN_SOCKET(data, lmode));
|
||||
}
|
||||
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+static void ptransfer(char *direction, long long bytes,
|
||||
+ struct timeval *t0, struct timeval *t1)
|
||||
+#else
|
||||
static void ptransfer(char *direction, long bytes,
|
||||
struct timeval *t0, struct timeval *t1)
|
||||
+#endif
|
||||
{
|
||||
struct timeval td;
|
||||
float s, kbs;
|
||||
@@ -1564,8 +1577,13 @@ static void ptransfer(char *direction, l
|
||||
s = td.tv_sec + (td.tv_usec / 1000000.);
|
||||
#define nz(x) ((x) == 0 ? 1 : (x))
|
||||
kbs = (bytes / nz(s))/1024.0;
|
||||
+#ifdef HAVE_LONG_LONG_INT
|
||||
+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
|
||||
+ bytes, direction, s, kbs);
|
||||
+#else
|
||||
printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
|
||||
bytes, direction, s, kbs);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
diff -up krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile krb5-appl-1.0/gssftp/ftp/ftp_var.h
|
||||
--- krb5-appl-1.0/gssftp/ftp/ftp_var.h.largefile 2010-03-05 11:06:24.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftp/ftp_var.h 2010-03-05 11:06:24.000000000 -0500
|
||||
@@ -46,12 +46,18 @@ FILE* fdopen_socket(SOCKET s, char* mode
|
||||
#define FDOPEN_SOCKET(s, mode) fdopen_socket(s, mode)
|
||||
#define SOCKETNO(fd) _get_osfhandle(fd)
|
||||
#define PERROR_SOCKET(str) do { errno = SOCKET_ERRNO; perror(str); } while(0)
|
||||
@ -41,254 +270,7 @@ Index: krb5/src/appl/gssftp/ftp/ftp_var.h
|
||||
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
|
||||
+#else
|
||||
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
|
||||
#endif
|
||||
+#endif
|
||||
#endif
|
||||
|
||||
#ifdef _WIN32
|
||||
typedef void (*sig_t)(int);
|
||||
Index: krb5/src/appl/gssftp/ftp/ftp.c
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/ftp/ftp.c (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/ftp/ftp.c (working copy)
|
||||
@@ -150,7 +150,11 @@
|
||||
|
||||
static void proxtrans (char *, char *, char *);
|
||||
static int initconn (void);
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+static void ptransfer (char *, long long, struct timeval *, struct timeval *);
|
||||
+#else
|
||||
static void ptransfer (char *, long, struct timeval *, struct timeval *);
|
||||
+#endif
|
||||
static void abort_remote (FILE *);
|
||||
static void tvsub (struct timeval *, struct timeval *, struct timeval *);
|
||||
static char *gunique (char *);
|
||||
@@ -775,7 +779,11 @@
|
||||
FILE *volatile fin, *volatile dout = 0;
|
||||
int (*volatile closefunc)();
|
||||
volatile sig_t oldintr, oldintp;
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ volatile long long bytes = 0, hashbytes = HASHBYTES;
|
||||
+#else
|
||||
volatile long bytes = 0, hashbytes = HASHBYTES;
|
||||
+#endif
|
||||
char *volatile lmode;
|
||||
unsigned char buf[FTP_BUFSIZ], *bufp;
|
||||
|
||||
@@ -872,7 +880,7 @@
|
||||
|
||||
if (restart_point &&
|
||||
(strcmp(cmd, "STOR") == 0 || strcmp(cmd, "APPE") == 0)) {
|
||||
- if (fseek(fin, (long) restart_point, 0) < 0) {
|
||||
+ if (FSEEK(fin, restart_point, 0) < 0) {
|
||||
fprintf(stderr, "local: %s: %s\n", local,
|
||||
strerror(errno));
|
||||
restart_point = 0;
|
||||
@@ -1266,7 +1274,7 @@
|
||||
if (restart_point) {
|
||||
register int i, n, ch;
|
||||
|
||||
- if (fseek(fout, 0L, L_SET) < 0)
|
||||
+ if (FSEEK(fout, 0L, L_SET) < 0)
|
||||
goto done;
|
||||
n = restart_point;
|
||||
for (i = 0; i++ < n;) {
|
||||
@@ -1275,7 +1283,7 @@
|
||||
if (ch == '\n')
|
||||
i++;
|
||||
}
|
||||
- if (fseek(fout, 0L, L_INCR) < 0) {
|
||||
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
|
||||
done:
|
||||
fprintf(stderr, "local: %s: %s\n", local,
|
||||
strerror(errno));
|
||||
@@ -1538,8 +1546,13 @@
|
||||
return (FDOPEN_SOCKET(data, lmode));
|
||||
}
|
||||
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+static void ptransfer(char *direction, long long bytes,
|
||||
+ struct timeval *t0, struct timeval *t1)
|
||||
+#else
|
||||
static void ptransfer(char *direction, long bytes,
|
||||
struct timeval *t0, struct timeval *t1)
|
||||
+#endif
|
||||
{
|
||||
struct timeval td;
|
||||
float s, kbs;
|
||||
@@ -1549,8 +1562,13 @@
|
||||
s = td.tv_sec + (td.tv_usec / 1000000.);
|
||||
#define nz(x) ((x) == 0 ? 1 : (x))
|
||||
kbs = (bytes / nz(s))/1024.0;
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ printf("%lld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
|
||||
+ bytes, direction, s, kbs);
|
||||
+#else
|
||||
printf("%ld bytes %s in %.2g seconds (%.2g Kbytes/s)\n",
|
||||
bytes, direction, s, kbs);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
Index: krb5/src/appl/gssftp/ftpd/ftpcmd.y
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/ftpd/ftpcmd.y (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/ftpd/ftpcmd.y (working copy)
|
||||
@@ -1497,12 +1497,20 @@
|
||||
(stbuf.st_mode&S_IFMT) != S_IFREG)
|
||||
reply(550, "%s: not a plain file.", filename);
|
||||
else
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ reply(213, "%llu", (long long) stbuf.st_size);
|
||||
+#else
|
||||
reply(213, "%lu", (long) stbuf.st_size);
|
||||
+#endif
|
||||
break;}
|
||||
case TYPE_A: {
|
||||
FILE *fin;
|
||||
register int c;
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ register long long count;
|
||||
+#else
|
||||
register long count;
|
||||
+#endif
|
||||
struct stat stbuf;
|
||||
fin = fopen(filename, "r");
|
||||
if (fin == NULL) {
|
||||
@@ -1524,7 +1532,11 @@
|
||||
}
|
||||
(void) fclose(fin);
|
||||
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ reply(213, "%lld", count);
|
||||
+#else
|
||||
reply(213, "%ld", count);
|
||||
+#endif
|
||||
break;}
|
||||
default:
|
||||
reply(504, "SIZE not implemented for Type %c.", "?AEIL"[type]);
|
||||
Index: krb5/src/appl/gssftp/ftpd/ftpd_var.h
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/ftpd/ftpd_var.h (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/ftpd/ftpd_var.h (working copy)
|
||||
@@ -41,6 +41,12 @@
|
||||
char *radix_error (int);
|
||||
int radix_encode (unsigned char *, unsigned char *, int *, int);
|
||||
|
||||
+#ifdef HAVE_FSEEKO
|
||||
+#define FSEEK(fd, offset, whence) fseeko(fd, (off_t) offset, whence)
|
||||
+#else
|
||||
+#define FSEEK(fd, offset, whence) fseek(fd, (long) offset, whence)
|
||||
+#endif
|
||||
+
|
||||
/* ftpd.c */
|
||||
void ack(char *);
|
||||
int auth_data(char *);
|
||||
Index: krb5/src/appl/gssftp/ftpd/ftpd.c
|
||||
===================================================================
|
||||
--- krb5/src/appl/gssftp/ftpd/ftpd.c (revision 22425)
|
||||
+++ krb5/src/appl/gssftp/ftpd/ftpd.c (working copy)
|
||||
@@ -1146,7 +1146,11 @@
|
||||
done:
|
||||
(*closefunc)(fin);
|
||||
if (logging > 2 && !cmd)
|
||||
- syslog(LOG_NOTICE, "get: %i bytes transferred", byte_count);
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ syslog(LOG_NOTICE, "get: %lld bytes transferred", (long long) byte_count);
|
||||
+#else
|
||||
+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
|
||||
void
|
||||
@@ -1191,7 +1195,7 @@
|
||||
* because we are changing from reading to
|
||||
* writing.
|
||||
*/
|
||||
- if (fseek(fout, 0L, L_INCR) < 0) {
|
||||
+ if (FSEEK(fout, 0L, L_INCR) < 0) {
|
||||
perror_reply(550, name);
|
||||
goto done;
|
||||
}
|
||||
@@ -1216,7 +1220,11 @@
|
||||
done:
|
||||
(*closefunc)(fout);
|
||||
if (logging > 2)
|
||||
- syslog(LOG_NOTICE, "put: %i bytes transferred", byte_count);
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ syslog(LOG_NOTICE, "get: %lld bytes transferred", byte_count);
|
||||
+#else
|
||||
+ syslog(LOG_NOTICE, "get: %ld bytes transferred", (long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
|
||||
FILE *
|
||||
@@ -1278,8 +1286,13 @@
|
||||
byte_count = 0;
|
||||
if (size != (off_t) -1)
|
||||
/* cast size to long in case sizeof(off_t) > sizeof(long) */
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ (void) snprintf (sizebuf, sizeof(sizebuf), " (%lld bytes)",
|
||||
+ (long long)size);
|
||||
+#else
|
||||
(void) snprintf (sizebuf, sizeof(sizebuf), " (%ld bytes)",
|
||||
(long)size);
|
||||
+#endif
|
||||
else
|
||||
sizebuf[0] = '\0';
|
||||
if (pdata >= 0) {
|
||||
@@ -1991,13 +2004,23 @@
|
||||
siglongjmp(urgcatch, 1);
|
||||
}
|
||||
if (strcmp(cp, "STAT") == 0) {
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
if (file_size != (off_t) -1)
|
||||
+ reply(213, "Status: %llu of %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count,
|
||||
+ (unsigned long long) file_size);
|
||||
+ else
|
||||
+ reply(213, "Status: %llu bytes transferred",
|
||||
+ (unsigned long long) byte_count);
|
||||
+#else
|
||||
+ if (file_size != (off_t) -1)
|
||||
reply(213, "Status: %lu of %lu bytes transferred",
|
||||
(unsigned long) byte_count,
|
||||
(unsigned long) file_size);
|
||||
else
|
||||
reply(213, "Status: %lu bytes transferred",
|
||||
(unsigned long) byte_count);
|
||||
+#endif
|
||||
}
|
||||
}
|
||||
|
||||
Index: krb5/src/appl/bsd/configure.in
|
||||
===================================================================
|
||||
--- krb5/src/appl/bsd/configure.in (revision 22425)
|
||||
+++ krb5/src/appl/bsd/configure.in (working copy)
|
||||
@@ -51,6 +51,9 @@
|
||||
AC_TYPE_MODE_T
|
||||
AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af)
|
||||
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h sys/ioctl_compat.h paths.h arpa/nameser.h)
|
||||
+AC_SYS_LARGEFILE
|
||||
+AC_FUNC_FSEEKO
|
||||
+AC_CHECK_TYPES([long long])
|
||||
AC_HEADER_STDARG
|
||||
AC_REPLACE_FUNCS(getdtablesize)
|
||||
dnl
|
||||
Index: krb5/src/appl/bsd/krcp.c
|
||||
===================================================================
|
||||
--- krb5/src/appl/bsd/krcp.c (revision 22425)
|
||||
+++ krb5/src/appl/bsd/krcp.c (working copy)
|
||||
@@ -764,8 +764,13 @@
|
||||
continue;
|
||||
}
|
||||
}
|
||||
+#ifdef HAVE_LONG_LONG
|
||||
+ (void) snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
|
||||
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
|
||||
+#else
|
||||
(void) snprintf(buf, sizeof(buf), "C%04o %ld %s\n",
|
||||
(int) stb.st_mode&07777, (long ) stb.st_size, last);
|
||||
+#endif
|
||||
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
|
||||
if (response() < 0) {
|
||||
(void) close(f);
|
@ -2,10 +2,10 @@ Change to the user's directory after dropping privileges, in case it is only
|
||||
accessible to the user (for example, if it's in NFS with root squashing).
|
||||
Incomplete - we probably need to do the same for rshd and ftpd.
|
||||
|
||||
diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c
|
||||
--- krb5/src/appl/bsd/login.c 2007-07-11 13:50:34.000000000 -0400
|
||||
+++ krb5/src/appl/bsd/login.c 2007-07-11 13:50:36.000000000 -0400
|
||||
@@ -1497,13 +1497,8 @@ int main(argc, argv)
|
||||
diff -up krb5-appl-1.0/bsd/login.c.login_chdir krb5-appl-1.0/bsd/login.c
|
||||
--- krb5-appl-1.0/bsd/login.c.login_chdir 2010-03-05 11:01:23.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/login.c 2010-03-05 11:01:23.000000000 -0500
|
||||
@@ -1115,13 +1115,8 @@ int main(argc, argv)
|
||||
}
|
||||
#endif /* USE_PAM */
|
||||
|
||||
@ -20,8 +20,8 @@ diff -up krb5/src/appl/bsd/login.c krb5/src/appl/bsd/login.c
|
||||
+ exit(0);
|
||||
|
||||
/* nothing else left to fail -- really log in */
|
||||
{
|
||||
@@ -1710,6 +1705,14 @@ int main(argc, argv)
|
||||
login_time = time(NULL);
|
||||
@@ -1293,6 +1288,14 @@ int main(argc, argv)
|
||||
sleepexit(1);
|
||||
}
|
||||
|
107
krb5-appl-1.0-manpaths.patch
Normal file
107
krb5-appl-1.0-manpaths.patch
Normal file
@ -0,0 +1,107 @@
|
||||
Change the absolute paths included in the man pages so that the correct
|
||||
values can be dropped in by config.status. After applying this patch,
|
||||
these files should be renamed to their ".in" counterparts, and then the
|
||||
configure scripts should be rebuilt. Originally RT#6525
|
||||
|
||||
diff -up krb5-appl-1.0/aclocal.m4.manpaths krb5-appl-1.0/aclocal.m4
|
||||
--- krb5-appl-1.0/aclocal.m4.manpaths 2010-03-05 10:55:58.000000000 -0500
|
||||
+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -565,3 +565,24 @@ AC_SUBST(PAM_LIBS)
|
||||
AC_SUBST(PAM_MAN)
|
||||
AC_SUBST(NON_PAM_MAN)
|
||||
])dnl
|
||||
+AC_DEFUN(V5_AC_OUTPUT_MANPAGE,[
|
||||
+mansysconfdir=$sysconfdir
|
||||
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$prefix,g"`
|
||||
+mansysconfdir=`eval echo $mansysconfdir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+mansbindir=$sbindir
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$exec_prefix,g"`
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$prefix,g"`
|
||||
+mansbindir=`eval echo $mansbindir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+manlocalstatedir=$localstatedir
|
||||
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$prefix,g"`
|
||||
+manlocalstatedir=`eval echo $manlocalstatedir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+manlibexecdir=$libexecdir
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$exec_prefix,g"`
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$prefix,g"`
|
||||
+manlibexecdir=`eval echo $manlibexecdir | sed -e "s,NONE,$ac_default_prefix,g"`
|
||||
+AC_SUBST(mansysconfdir)
|
||||
+AC_SUBST(mansbindir)
|
||||
+AC_SUBST(manlocalstatedir)
|
||||
+AC_SUBST(manlibexecdir)
|
||||
+AC_CONFIG_FILES($1)
|
||||
+])
|
||||
diff -up krb5-appl-1.0/bsd/klogind.M.manpaths krb5-appl-1.0/bsd/klogind.M
|
||||
--- krb5-appl-1.0/bsd/klogind.M.manpaths 2008-12-15 15:29:01.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/klogind.M 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
|
||||
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
|
||||
configuration line for \fIklogind\fP might be:
|
||||
|
||||
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
|
||||
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
|
||||
|
||||
When a service request is received, the following protocol is initiated:
|
||||
|
||||
diff -up krb5-appl-1.0/bsd/kshd.M.manpaths krb5-appl-1.0/bsd/kshd.M
|
||||
--- krb5-appl-1.0/bsd/kshd.M.manpaths 2006-06-12 14:19:26.000000000 -0400
|
||||
+++ krb5-appl-1.0/bsd/kshd.M 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -8,7 +8,7 @@
|
||||
.SH NAME
|
||||
kshd \- kerberized remote shell server
|
||||
.SH SYNOPSIS
|
||||
-.B /usr/local/sbin/kshd
|
||||
+.B @mansbindir@/kshd
|
||||
[
|
||||
.B \-kr45ec
|
||||
]
|
||||
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
|
||||
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
|
||||
configuration line for \fIkrshd\fP might be:
|
||||
|
||||
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
|
||||
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
|
||||
|
||||
When a service request is received, the following protocol is initiated:
|
||||
|
||||
diff -up krb5-appl-1.0/configure.ac.manpaths krb5-appl-1.0/configure.ac
|
||||
--- krb5-appl-1.0/configure.ac.manpaths 2010-03-05 10:55:58.000000000 -0500
|
||||
+++ krb5-appl-1.0/configure.ac 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -412,6 +412,13 @@ else
|
||||
fi
|
||||
AC_SUBST(HAVE_RUNTEST)
|
||||
|
||||
+V5_AC_OUTPUT_MANPAGE([
|
||||
+ gssftp/ftpd/ftpd.M
|
||||
+ bsd/klogind.M
|
||||
+ bsd/kshd.M
|
||||
+ telnet/telnetd/telnetd.8
|
||||
+])
|
||||
+
|
||||
V5_AC_OUTPUT_MAKEFILE(. bsd libmissing libpty
|
||||
gssftp gssftp/ftp gssftp/ftpd
|
||||
telnet telnet/libtelnet telnet/telnet telnet/telnetd
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths krb5-appl-1.0/gssftp/ftpd/ftpd.M
|
||||
--- krb5-appl-1.0/gssftp/ftpd/ftpd.M.manpaths 2009-01-28 00:42:11.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.M 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -35,7 +35,7 @@
|
||||
.SH NAME
|
||||
ftpd \- DARPA Internet File Transfer Protocol server
|
||||
.SH SYNOPSIS
|
||||
-.B ftpd
|
||||
+.B @mansbindir@/ftpd
|
||||
[\fB\-A \fP|\fB -a\fP] [\fB\-C\fP] [\fB\-c\fP] [\fB\-d\fP] [\fB-E\fP]
|
||||
[\fB\-l\fP] [\fB\-v\fP] [\fB\-T\fP \fImaxtimeout\fP] [\fB\-t\fP \fItimeout\fP]
|
||||
[\fB\-p\fP \fIport\fP] [\fB\-U\fP \fIftpusers-file\fP] [\fB\-u\fP \fIumask\fP]
|
||||
diff -up krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths krb5-appl-1.0/telnet/telnetd/telnetd.8
|
||||
--- krb5-appl-1.0/telnet/telnetd/telnetd.8.manpaths 2004-11-15 16:25:41.000000000 -0500
|
||||
+++ krb5-appl-1.0/telnet/telnetd/telnetd.8 2010-03-05 10:55:58.000000000 -0500
|
||||
@@ -37,7 +37,7 @@ telnetd \-
|
||||
.SM DARPA TELNET
|
||||
protocol server
|
||||
.SH SYNOPSIS
|
||||
-.B /usr/libexec/telnetd
|
||||
+.B @mansbindir@/telnetd
|
||||
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
|
||||
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
|
||||
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
|
@ -17,7 +17,7 @@ At run-time, krshd's behavior can be reset to the earlier, non-PAM
|
||||
behavior by setting "use_pam" to false in the [ftpd] section of
|
||||
/etc/krb5.conf.
|
||||
|
||||
Modify login so that instead of directly obtaining v5 or v4 credentials
|
||||
Modify login so that instead of directly obtaining v5 credentials
|
||||
or running aklog, it calls PAM for authentication if strong
|
||||
authentication hasn't already been performed, so that it performs
|
||||
account management using PAM (prompting for a password change if need
|
||||
@ -28,24 +28,16 @@ is pretty much always going to be there. At run-time, login's behavior
|
||||
can be reset to the earlier, non-PAM behavior by setting "use_pam" to
|
||||
false in the [login] section of /etc/krb5.conf.
|
||||
|
||||
Modify ksu so that it performs account and session management for the
|
||||
target user account, mimicking the action of regular su. The default
|
||||
service name is "ksu", because on Fedora at least the configuration used
|
||||
is determined by whether or not a login shell is being opened, and so
|
||||
this may need to vary, too. At run-time, ksu's behavior can be reset to
|
||||
the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu]
|
||||
section of /etc/krb5.conf.
|
||||
When enabled, ftpd, krshd, and login.krb5 gain dependence on libpam.
|
||||
Originally filed as RT#5939.
|
||||
|
||||
When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam.
|
||||
RT#5939.
|
||||
|
||||
diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
--- krb5-1.7/src/aclocal.m4 2009-02-18 19:38:17.000000000 -0500
|
||||
+++ krb5-1.7/src/aclocal.m4 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -1771,3 +1771,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
|
||||
]))
|
||||
diff -up krb5-appl-1.0/aclocal.m4.pam krb5-appl-1.0/aclocal.m4
|
||||
--- krb5-appl-1.0/aclocal.m4.pam 2009-11-21 15:29:19.000000000 -0500
|
||||
+++ krb5-appl-1.0/aclocal.m4 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -486,3 +486,82 @@ AC_DEFUN([KRB5_AC_LIBUTIL],
|
||||
UTIL_LIB=-lutil])dnl
|
||||
AC_SUBST(UTIL_LIB)
|
||||
])dnl
|
||||
dnl
|
||||
+dnl
|
||||
+dnl Use PAM instead of local crypt() compare for checking local passwords,
|
||||
+dnl and perform PAM account, session management, and password-changing where
|
||||
@ -62,8 +54,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
+ withekshellpamservice="$withval",withekshellpamservice=ekshell)
|
||||
+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])],
|
||||
+ withftppamservice="$withval",withftppamservice=gssftp)
|
||||
+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])],
|
||||
+ withksupamservice="$withval",withksupamservice=ksu)
|
||||
+old_LIBS="$LIBS"
|
||||
+if test "$withpam" != no ; then
|
||||
+ AC_MSG_RESULT([checking for PAM...])
|
||||
@ -114,8 +104,6 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.])
|
||||
+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice",
|
||||
+ [Define to the name of the PAM service name to be used by ftpd.])
|
||||
+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice",
|
||||
+ [Define to the name of the PAM service name to be used by ksu.])
|
||||
+ PAM_LIBS="$LIBS"
|
||||
+ NON_PAM_MAN=".\\\" "
|
||||
+ PAM_MAN=
|
||||
@ -129,21 +117,10 @@ diff -up krb5-1.7/src/aclocal.m4 krb5-1.7/src/aclocal.m4
|
||||
+AC_SUBST(PAM_MAN)
|
||||
+AC_SUBST(NON_PAM_MAN)
|
||||
+])dnl
|
||||
diff -up krb5-1.7/src/appl/bsd/configure.in krb5-1.7/src/appl/bsd/configure.in
|
||||
--- krb5-1.7/src/appl/bsd/configure.in 2008-12-15 15:29:01.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/bsd/configure.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main,
|
||||
AC_CHECK_LIB(cfg,main,
|
||||
LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
|
||||
)))
|
||||
+KRB5_WITH_PAM
|
||||
dnl
|
||||
dnl Make our operating system-specific security checks and definitions for
|
||||
dnl login.
|
||||
diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
--- krb5-1.7/src/appl/bsd/krshd.c 2009-04-15 16:07:15.000000000 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/krshd.c 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -161,6 +161,10 @@ char copyright[] =
|
||||
diff -up krb5-appl-1.0/bsd/krshd.c.pam krb5-appl-1.0/bsd/krshd.c
|
||||
--- krb5-appl-1.0/bsd/krshd.c.pam 2009-11-16 05:27:04.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/krshd.c 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -163,6 +163,10 @@ char copyright[] =
|
||||
#include <arpa/nameser.h>
|
||||
#endif
|
||||
|
||||
@ -154,7 +131,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
#ifndef MAXDNAME
|
||||
#define MAXDNAME 256 /*per the rfc*/
|
||||
#endif
|
||||
@@ -181,6 +185,7 @@ void fatal(int, const char *);
|
||||
@@ -183,6 +187,7 @@ void fatal(int, const char *);
|
||||
|
||||
int require_encrypt = 0;
|
||||
int do_encrypt = 0;
|
||||
@ -162,7 +139,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
int anyport = 0;
|
||||
char *kprogdir = KPROGDIR;
|
||||
int netf;
|
||||
@@ -1030,14 +1035,6 @@ void doit(f, fromp)
|
||||
@@ -1032,14 +1037,6 @@ void doit(f, fromp)
|
||||
}
|
||||
#endif /*CRAY*/
|
||||
|
||||
@ -177,7 +154,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
#ifdef KERBEROS
|
||||
/* krb5_kuserok returns 1 if OK */
|
||||
if (!krb5_kuserok(bsd_context, client, locuser)){
|
||||
@@ -1067,11 +1064,51 @@ void doit(f, fromp)
|
||||
@@ -1069,11 +1066,51 @@ void doit(f, fromp)
|
||||
goto signout_please;
|
||||
}
|
||||
|
||||
@ -229,7 +206,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
/* Log access to account */
|
||||
pwd = (struct passwd *) getpwnam(locuser);
|
||||
if (pwd && (pwd->pw_uid == 0)) {
|
||||
@@ -1111,7 +1148,7 @@ void doit(f, fromp)
|
||||
@@ -1113,7 +1150,7 @@ void doit(f, fromp)
|
||||
|
||||
(void) write(2, "", 1);
|
||||
|
||||
@ -238,7 +215,7 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
if (port&&(pipe(pv) < 0)) {
|
||||
error("Can't make pipe.\n");
|
||||
goto signout_please;
|
||||
@@ -1416,6 +1453,15 @@ void doit(f, fromp)
|
||||
@@ -1418,6 +1455,15 @@ void doit(f, fromp)
|
||||
|
||||
environ = envinit;
|
||||
|
||||
@ -254,11 +231,11 @@ diff -up krb5-1.7/src/appl/bsd/krshd.c krb5-1.7/src/appl/bsd/krshd.c
|
||||
#ifdef KERBEROS
|
||||
/* To make Kerberos rcp work correctly, we must ensure that we
|
||||
invoke Kerberos rcp on this end, not normal rcp, even if the
|
||||
diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
--- krb5-1.7/src/appl/bsd/login.c 2008-12-15 15:29:01.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/bsd/login.c 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -145,6 +145,11 @@ typedef sigtype (*handler)();
|
||||
#include "osconf.h"
|
||||
diff -up krb5-appl-1.0/bsd/login.c.pam krb5-appl-1.0/bsd/login.c
|
||||
--- krb5-appl-1.0/bsd/login.c.pam 2009-11-21 15:29:19.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/login.c 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -148,6 +148,11 @@ typedef sigtype (*handler)();
|
||||
#define KRB5_ENV_CCNAME "KRB5CCNAME"
|
||||
#endif /* KRB5_GET_TICKETS */
|
||||
|
||||
+#ifdef USE_PAM
|
||||
@ -269,7 +246,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
#ifndef __STDC__
|
||||
#ifndef volatile
|
||||
#define volatile
|
||||
@@ -294,6 +299,9 @@ static struct login_confs {
|
||||
@@ -293,6 +298,9 @@ static struct login_confs {
|
||||
char *flagname;
|
||||
int *flag;
|
||||
} login_conf_set[] = {
|
||||
@ -279,7 +256,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
#ifdef KRB5_GET_TICKETS
|
||||
{"krb5_get_tickets", &login_krb5_get_tickets},
|
||||
{"krb_run_aklog", &login_krb_run_aklog},
|
||||
@@ -933,6 +941,21 @@ int main(argc, argv)
|
||||
@@ -934,6 +942,21 @@ int main(argc, argv)
|
||||
if (!unix_needs_passwd())
|
||||
break;
|
||||
|
||||
@ -301,7 +278,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
#ifdef KRB5_GET_TICKETS
|
||||
if (login_krb5_get_tickets) {
|
||||
/* rename these to something more verbose */
|
||||
@@ -1020,6 +1043,24 @@ int main(argc, argv)
|
||||
@@ -1021,6 +1044,24 @@ int main(argc, argv)
|
||||
/* committed to login -- turn off timeout */
|
||||
(void) alarm((u_int) 0);
|
||||
|
||||
@ -326,7 +303,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
/*
|
||||
* If valid so far and root is logging in, see if root logins on
|
||||
* this terminal are permitted.
|
||||
@@ -1060,6 +1101,21 @@ int main(argc, argv)
|
||||
@@ -1061,6 +1102,21 @@ int main(argc, argv)
|
||||
sleepexit(0);
|
||||
}
|
||||
#endif
|
||||
@ -348,7 +325,7 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
|
||||
if (chdir(pwd->pw_dir) < 0) {
|
||||
printf("No directory %s!\n", pwd->pw_dir);
|
||||
@@ -1347,6 +1403,11 @@ int main(argc, argv)
|
||||
@@ -1343,6 +1399,11 @@ int main(argc, argv)
|
||||
}
|
||||
#endif /* KRB5_GET_TICKETS */
|
||||
|
||||
@ -360,54 +337,55 @@ diff -up krb5-1.7/src/appl/bsd/login.c krb5-1.7/src/appl/bsd/login.c
|
||||
if (tty[sizeof("tty")-1] == 'd')
|
||||
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
|
||||
if (pwd->pw_uid == 0)
|
||||
diff -up krb5-1.7/src/appl/bsd/Makefile.in krb5-1.7/src/appl/bsd/Makefile.in
|
||||
--- krb5-1.7/src/appl/bsd/Makefile.in 2009-01-05 15:27:53.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/bsd/Makefile.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -11,12 +11,13 @@ SETENVOBJ=@SETENVOBJ@
|
||||
diff -up krb5-appl-1.0/bsd/Makefile.in.pam krb5-appl-1.0/bsd/Makefile.in
|
||||
--- krb5-appl-1.0/bsd/Makefile.in.pam 2009-11-05 15:10:37.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/Makefile.in 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -3,11 +3,14 @@ BUILDTOP=$(REL)..
|
||||
|
||||
LOGINLIBS=@LOGINLIBS@
|
||||
LIBOBJS=@LIBOBJS@
|
||||
KRSHDLIBS=@KRSHDLIBS@
|
||||
+PAMOBJS=pam.o
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \
|
||||
$(srcdir)/forward.c $(srcdir)/login.c $(srcdir)/krshd.c \
|
||||
$(srcdir)/krlogind.c
|
||||
OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o $(SETENVOBJ) login.o krshd.o \
|
||||
- krlogind.o $(LIBOBJS)
|
||||
+ krlogind.o $(LIBOBJS) $(PAMOBJS)
|
||||
-OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o
|
||||
+OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o login.o krshd.o krlogind.o \
|
||||
+ $(PAMOBJS)
|
||||
|
||||
UCB_RLOGIN = @UCB_RLOGIN@
|
||||
UCB_RSH = @UCB_RSH@
|
||||
@@ -53,8 +54,8 @@ install::
|
||||
@@ -50,8 +53,8 @@ install::
|
||||
) || exit 1; \
|
||||
done
|
||||
|
||||
-kshd: krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
|
||||
- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
|
||||
+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
|
||||
+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(APPUTILS_LIB)
|
||||
-kshd: krshd.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS)
|
||||
+kshd: krshd.o kcmd.o forward.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o $(PAMOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS) $(LIBS)
|
||||
|
||||
klogind: krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB)
|
||||
$(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB5_BASE_LIBS) $(APPUTILS_LIB)
|
||||
@@ -71,8 +72,8 @@ install::
|
||||
klogind: krlogind.o kcmd.o forward.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
$(CC_LINK) -o klogind krlogind.o kcmd.o forward.o $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(KRB5_BASE_LIBS) $(LIBS)
|
||||
@@ -68,8 +71,8 @@ install::
|
||||
# No program name transformation is done with login.krb5 since it is directly
|
||||
# referenced by klogind.
|
||||
#
|
||||
-login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS)
|
||||
+login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB5_BASE_DEPLIBS)
|
||||
+ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(PAM_LIBS)
|
||||
-login.krb5: login.o $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
- $(CC_LINK) -o login.krb5 login.o $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(LIBS)
|
||||
+login.krb5: login.o $(PAMOBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
+ $(CC_LINK) -o login.krb5 login.o $(PAMOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB5_BASE_LIBS) $(MISSING_LIB) $(PAM_LIBS) $(LIBS)
|
||||
|
||||
install::
|
||||
$(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5
|
||||
diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
|
||||
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/pam.c 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -0,0 +1,433 @@
|
||||
diff -up krb5-appl-1.0/bsd/pam.c.pam krb5-appl-1.0/bsd/pam.c
|
||||
--- krb5-appl-1.0/bsd/pam.c.pam 2010-03-05 10:48:50.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/pam.c 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -0,0 +1,438 @@
|
||||
+/*
|
||||
+ * src/appl/bsd/pam.c
|
||||
+ *
|
||||
+ * Copyright 2007,2009 Red Hat, Inc.
|
||||
+ * Copyright 2007,2009,2010 Red Hat, Inc.
|
||||
+ *
|
||||
+ * All Rights Reserved.
|
||||
+ *
|
||||
@ -447,13 +425,17 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <unistd.h>
|
||||
+#include "k5-int.h"
|
||||
+#include <profile.h>
|
||||
+#include "pam.h"
|
||||
+
|
||||
+#ifndef MAXPWSIZE
|
||||
+#define MAXPWSIZE 128
|
||||
+#endif
|
||||
+
|
||||
+#ifndef KRB5_ENV_CCNAME
|
||||
+#define KRB5_ENV_CCNAME "KRB5CCNAME"
|
||||
+#endif
|
||||
+
|
||||
+static int appl_pam_started;
|
||||
+static pid_t appl_pam_starter = -1;
|
||||
+static int appl_pam_session_opened;
|
||||
@ -471,8 +453,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
|
||||
+appl_pam_enabled(krb5_context context, const char *section)
|
||||
+{
|
||||
+ int enabled = 1;
|
||||
+ if ((context != NULL) && (context->profile != NULL)) {
|
||||
+ if (profile_get_boolean(context->profile,
|
||||
+ profile_t profile = NULL;
|
||||
+ if ((context != NULL) && (krb5_get_profile(context, &profile) == 0)) {
|
||||
+ if (profile_get_boolean(profile,
|
||||
+ section,
|
||||
+ USE_PAM_CONFIGURATION_KEYWORD,
|
||||
+ NULL,
|
||||
@ -837,9 +820,9 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.c
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif
|
||||
diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h
|
||||
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
|
||||
+++ krb5-1.7/src/appl/bsd/pam.h 2009-06-04 13:45:57.000000000 -0400
|
||||
diff -up krb5-appl-1.0/bsd/pam.h.pam krb5-appl-1.0/bsd/pam.h
|
||||
--- krb5-appl-1.0/bsd/pam.h.pam 2010-03-05 10:48:50.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/pam.h 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -0,0 +1,65 @@
|
||||
+/*
|
||||
+ * src/appl/bsd/pam.h
|
||||
@ -906,21 +889,22 @@ diff -up /dev/null krb5-1.7/src/appl/bsd/pam.h
|
||||
+int appl_pam_cred_init(void);
|
||||
+void appl_pam_cleanup(void);
|
||||
+#endif
|
||||
diff -up krb5-1.7/src/appl/gssftp/configure.in krb5-1.7/src/appl/gssftp/configure.in
|
||||
--- krb5-1.7/src/appl/gssftp/configure.in 2006-03-31 16:00:40.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/gssftp/configure.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -17,6 +17,7 @@ DECLARE_SYS_ERRLIST
|
||||
AC_REPLACE_FUNCS(getdtablesize)
|
||||
AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
|
||||
AC_CHECK_LIB(crypt,crypt) dnl
|
||||
diff -up krb5-appl-1.0/configure.ac.pam krb5-appl-1.0/configure.ac
|
||||
--- krb5-appl-1.0/configure.ac.pam 2009-11-21 16:46:39.000000000 -0500
|
||||
+++ krb5-appl-1.0/configure.ac 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -156,6 +156,8 @@ AC_CHECK_FUNC(tgetent, ,
|
||||
[AC_MSG_ERROR([Could not find tgetent; are you missing a curses/ncurses library?])])
|
||||
LIBS="$old_LIBS"
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
KRB5_AC_LIBUTIL
|
||||
dnl
|
||||
dnl copied from appl/bsd/configure.in
|
||||
diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd.c
|
||||
--- krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-01-28 00:42:11.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/gssftp/ftpd/ftpd.c 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -67,6 +67,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40
|
||||
+
|
||||
# Make our operating system-specific security checks and definitions
|
||||
# for libpty, login, and ftpd. The following code decides what
|
||||
# streams modules will be pushed onto a pty. In particular, if
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam krb5-appl-1.0/gssftp/ftpd/ftpd.c
|
||||
--- krb5-appl-1.0/gssftp/ftpd/ftpd.c.pam 2009-11-18 00:07:46.000000000 -0500
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/ftpd.c 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -69,6 +69,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40
|
||||
#ifdef HAVE_SHADOW
|
||||
#include <shadow.h>
|
||||
#endif
|
||||
@ -930,7 +914,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
#include <grp.h>
|
||||
#include <setjmp.h>
|
||||
#ifndef POSIX_SETJMP
|
||||
@@ -745,6 +748,22 @@ user(name)
|
||||
@@ -743,6 +746,22 @@ user(name)
|
||||
name);
|
||||
}
|
||||
#endif /* GSSAPI */
|
||||
@ -953,7 +937,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
|
||||
if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) {
|
||||
strncat(buf, "; Access denied.",
|
||||
@@ -846,6 +865,10 @@ end_login()
|
||||
@@ -843,6 +862,10 @@ end_login()
|
||||
(void) krb5_seteuid((uid_t)0);
|
||||
if (logged_in)
|
||||
pty_logwtmp(ttyline, "", "");
|
||||
@ -964,7 +948,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
if (have_creds) {
|
||||
#ifdef GSSAPI
|
||||
krb5_cc_destroy(kcontext, ccache);
|
||||
@@ -954,9 +977,19 @@ pass(passwd)
|
||||
@@ -951,9 +974,19 @@ pass(passwd)
|
||||
* kpass fails and the user has no local password
|
||||
* kpass fails and the provided password doesn't match pw
|
||||
*/
|
||||
@ -987,7 +971,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
pw = NULL;
|
||||
sleep(5);
|
||||
if (++login_attempts >= 3) {
|
||||
@@ -973,6 +1006,23 @@ pass(passwd)
|
||||
@@ -970,6 +1003,23 @@ pass(passwd)
|
||||
}
|
||||
login_attempts = 0; /* this time successful */
|
||||
|
||||
@ -1011,7 +995,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
login(passwd, 0);
|
||||
return;
|
||||
}
|
||||
@@ -988,6 +1038,18 @@ login(passwd, logincode)
|
||||
@@ -985,6 +1035,18 @@ login(passwd, logincode)
|
||||
chown(ccname, pw->pw_uid, pw->pw_gid);
|
||||
#endif
|
||||
}
|
||||
@ -1030,7 +1014,7 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
|
||||
(void) krb5_setegid((gid_t)pw->pw_gid);
|
||||
(void) initgroups(pw->pw_name, pw->pw_gid);
|
||||
@@ -1960,6 +2022,10 @@ dologout(status)
|
||||
@@ -1966,6 +2028,10 @@ dologout(status)
|
||||
krb5_cc_destroy(kcontext, ccache);
|
||||
#endif
|
||||
}
|
||||
@ -1041,12 +1025,12 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/ftpd.c krb5-1.7/src/appl/gssftp/ftpd/ftpd
|
||||
/* beware of flushing buffers after a SIGPIPE */
|
||||
_exit(status);
|
||||
}
|
||||
diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd/Makefile.in
|
||||
--- krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-01-05 15:27:53.000000000 -0500
|
||||
+++ krb5-1.7/src/appl/gssftp/ftpd/Makefile.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -14,23 +14,25 @@ SETENVOBJ=@SETENVOBJ@
|
||||
LIBOBJS=@LIBOBJS@
|
||||
COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a
|
||||
diff -up krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam krb5-appl-1.0/gssftp/ftpd/Makefile.in
|
||||
--- krb5-appl-1.0/gssftp/ftpd/Makefile.in.pam 2009-07-20 13:21:24.000000000 -0400
|
||||
+++ krb5-appl-1.0/gssftp/ftpd/Makefile.in 2010-03-05 10:48:50.000000000 -0500
|
||||
@@ -6,22 +6,24 @@ PROG_LIBPATH=-L$(TOPLIBD)
|
||||
PROG_RPATH=$(KRB5_LIBDIR)
|
||||
|
||||
FTPD_LIBS=@FTPD_LIBS@
|
||||
+PAM_LIBS=@PAM_LIBS@
|
||||
|
||||
@ -1054,218 +1038,29 @@ diff -up krb5-1.7/src/appl/gssftp/ftpd/Makefile.in krb5-1.7/src/appl/gssftp/ftpd
|
||||
$(srcdir)/vers.c \
|
||||
$(srcdir)/../ftp/glob.c \
|
||||
$(srcdir)/../ftp/radix.c \
|
||||
$(srcdir)/../ftp/secure.c \
|
||||
+ $(srcdir)/../../bsd/pam.c \
|
||||
$(srcdir)/../../bsd/getdtablesize.c $(SETENVSRC)
|
||||
- $(srcdir)/../ftp/secure.c
|
||||
+ $(srcdir)/../ftp/secure.c \
|
||||
+ $(srcdir)/../../bsd/pam.c
|
||||
|
||||
OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \
|
||||
- secure.o $(LIBOBJS) $(SETENVOBJ)
|
||||
+ secure.o pam.o getdtablesize.o $(LIBOBJS) $(SETENVOBJ)
|
||||
- secure.o
|
||||
+ secure.o pam.o
|
||||
|
||||
LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir)
|
||||
|
||||
all:: ftpd
|
||||
|
||||
ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB5_BASE_LIBS) $(PAM_LIBS)
|
||||
ftpd: $(OBJS) $(PTY_DEPLIB) $(MISSING_DEPLIB)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(MISSING_LIB) $(GSS_LIBS) $(PAM_LIBS) $(LIBS)
|
||||
|
||||
generate-files-mac: ftpcmd.c
|
||||
|
||||
@@ -62,6 +64,8 @@ secure.o: $(srcdir)/../ftp/secure.c
|
||||
@@ -61,4 +63,7 @@ ftpcmd.o: ftpcmd.c
|
||||
popen.o: $(srcdir)/popen.c
|
||||
vers.o: $(srcdir)/vers.c
|
||||
|
||||
getdtablesize.o: $(srcdir)/../../bsd/getdtablesize.c
|
||||
$(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/getdtablesize.c
|
||||
+pam.o: $(srcdir)/../../bsd/pam.c
|
||||
+ $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c
|
||||
|
||||
setenv.o: $(srcdir)/../../bsd/setenv.c
|
||||
$(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/setenv.c
|
||||
diff -up krb5-1.7/src/clients/ksu/main.c krb5-1.7/src/clients/ksu/main.c
|
||||
--- krb5-1.7/src/clients/ksu/main.c 2008-12-01 12:09:59.000000000 -0500
|
||||
+++ krb5-1.7/src/clients/ksu/main.c 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -25,6 +25,7 @@
|
||||
* KSU was writen by: Ari Medvinsky, ari@isi.edu
|
||||
*/
|
||||
|
||||
+#include "autoconf.h"
|
||||
#include "ksu.h"
|
||||
#include "adm_proto.h"
|
||||
#include <sys/types.h>
|
||||
@@ -32,6 +33,10 @@
|
||||
#include <signal.h>
|
||||
#include <grp.h>
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+#include "../../appl/bsd/pam.h"
|
||||
+#endif
|
||||
+
|
||||
/* globals */
|
||||
char * prog_name;
|
||||
int auth_debug =0;
|
||||
@@ -39,6 +44,7 @@
|
||||
char k5users_path[MAXPATHLEN];
|
||||
char * gb_err = NULL;
|
||||
int quiet = 0;
|
||||
+int force_fork = 0;
|
||||
/***********/
|
||||
|
||||
#define _DEF_CSH "/bin/csh"
|
||||
@@ -585,6 +591,25 @@
|
||||
prog_name,target_user,client_name,
|
||||
source_user,ontty());
|
||||
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
|
||||
+ NULL, source_user,
|
||||
+ ttyname(STDERR_FILENO)) != 0) {
|
||||
+ fprintf(stderr, "Access denied for %s.\n", target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ if (appl_pam_requires_chauthtok()) {
|
||||
+ fprintf(stderr, "Password change required for %s.\n",
|
||||
+ target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+ force_fork++;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
/* Run authorization as target.*/
|
||||
if (krb5_seteuid(target_uid)) {
|
||||
com_err(prog_name, errno, "while switching to target for authorization check");
|
||||
@@ -791,7 +816,7 @@
|
||||
fprintf(stderr, "program to be execed %s\n",params[0]);
|
||||
}
|
||||
|
||||
- if( keep_target_cache ) {
|
||||
+ if( keep_target_cache && !force_fork ) {
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s",
|
||||
params[0]);
|
||||
@@ -799,6 +824,33 @@
|
||||
exit(1);
|
||||
}else{
|
||||
statusp = 1;
|
||||
+
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_session_open() != 0) {
|
||||
+ fprintf(stderr, "Error opening session for %s.\n", target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Opened PAM session.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ if (appl_pam_cred_init()) {
|
||||
+ fprintf(stderr, "Error initializing credentials for %s.\n",
|
||||
+ target_user);
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ exit(1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Initialized PAM credentials.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
switch ((child_pid = fork())) {
|
||||
default:
|
||||
if (auth_debug){
|
||||
@@ -822,15 +874,34 @@
|
||||
if (ret_pid == -1) {
|
||||
com_err(prog_name, errno, "while calling waitpid");
|
||||
}
|
||||
- sweep_up(ksu_context, cc_target);
|
||||
+ if( !keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (statusp);
|
||||
case -1:
|
||||
com_err(prog_name, errno, "while trying to fork.");
|
||||
sweep_up(ksu_context, cc_target);
|
||||
exit (1);
|
||||
case 0:
|
||||
+#ifdef USE_PAM
|
||||
+ if (appl_pam_enabled(ksu_context, "ksu")) {
|
||||
+ if (appl_pam_setenv() != 0) {
|
||||
+ fprintf(stderr, "Error setting up environment for %s.\n",
|
||||
+ target_user);
|
||||
+ exit (1);
|
||||
+ }
|
||||
+#ifdef DEBUG
|
||||
+ if (auth_debug){
|
||||
+ printf(" Set up PAM environment.\n");
|
||||
+ }
|
||||
+#endif
|
||||
+ }
|
||||
+#endif
|
||||
execv(params[0], params);
|
||||
com_err(prog_name, errno, "while trying to execv %s", params[0]);
|
||||
+ if( keep_target_cache ) {
|
||||
+ sweep_up(ksu_context, cc_target);
|
||||
+ }
|
||||
exit (1);
|
||||
}
|
||||
}
|
||||
diff -up krb5-1.7/src/clients/ksu/Makefile.in krb5-1.7/src/clients/ksu/Makefile.in
|
||||
--- krb5-1.7/src/clients/ksu/Makefile.in 2009-01-05 15:27:53.000000000 -0500
|
||||
+++ krb5-1.7/src/clients/ksu/Makefile.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -15,6 +15,7 @@ SRCS = \
|
||||
$(srcdir)/ccache.c \
|
||||
$(srcdir)/authorization.c \
|
||||
$(srcdir)/main.c \
|
||||
+ $(srcdir)/../../appl/bsd/pam.c \
|
||||
$(srcdir)/heuristic.c \
|
||||
$(srcdir)/xmalloc.c \
|
||||
$(srcdir)/setenv.c
|
||||
@@ -23,13 +24,17 @@ OBJS = \
|
||||
ccache.o \
|
||||
authorization.o \
|
||||
main.o \
|
||||
+ pam.o \
|
||||
heuristic.o \
|
||||
xmalloc.o @SETENVOBJ@
|
||||
|
||||
all:: ksu
|
||||
|
||||
ksu: $(OBJS) $(KRB5_BASE_DEPLIBS)
|
||||
- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS)
|
||||
+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS)
|
||||
+
|
||||
+pam.o: $(srcdir)/../../appl/bsd/pam.c
|
||||
+ $(CC) $(ALL_CFLAGS) -c $<
|
||||
|
||||
clean::
|
||||
$(RM) ksu
|
||||
diff -up krb5-1.7/src/config/pre.in krb5-1.7/src/config/pre.in
|
||||
--- krb5-1.7/src/config/pre.in 2009-04-15 16:06:35.000000000 -0400
|
||||
+++ krb5-1.7/src/config/pre.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -181,6 +181,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PR
|
||||
LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@
|
||||
LDARGS = @LDARGS@
|
||||
LIBS = @LIBS@
|
||||
+PAM_LIBS = @PAM_LIBS@
|
||||
|
||||
INSTALL=@INSTALL@
|
||||
INSTALL_STRIP=
|
||||
diff -up krb5-1.7/src/configure.in krb5-1.7/src/configure.in
|
||||
--- krb5-1.7/src/configure.in 2009-04-15 16:07:03.000000000 -0400
|
||||
+++ krb5-1.7/src/configure.in 2009-06-04 13:45:57.000000000 -0400
|
||||
@@ -1040,6 +1040,8 @@ fi
|
||||
dnl
|
||||
AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
|
||||
|
||||
+KRB5_WITH_PAM
|
||||
+
|
||||
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
|
||||
V5_AC_OUTPUT_MAKEFILE(.
|
||||
|
||||
# NOPOSTFIX
|
@ -1,8 +1,10 @@
|
||||
Start with only TERM defined in the environment, like NetKit rlogind does, and
|
||||
KRB5CCNAME, which we set ourselves.
|
||||
--- krb5-1.3/src/appl/bsd/krlogind.c
|
||||
+++ krb5-1.3/src/appl/bsd/krlogind.c
|
||||
@@ -713,6 +713,9 @@
|
||||
|
||||
diff -up krb5-appl-1.0/bsd/krlogind.c.rlogind-environ krb5-appl-1.0/bsd/krlogind.c
|
||||
--- krb5-appl-1.0/bsd/krlogind.c.rlogind-environ 2009-11-21 15:29:19.000000000 -0500
|
||||
+++ krb5-appl-1.0/bsd/krlogind.c 2010-03-05 11:07:34.000000000 -0500
|
||||
@@ -667,6 +667,9 @@ void doit(f, fromp)
|
||||
#else
|
||||
struct sgttyb b;
|
||||
#endif /* POSIX_TERMIOS */
|
||||
@ -10,9 +12,9 @@ KRB5CCNAME, which we set ourselves.
|
||||
+ char *bare_environ[] = {environ_term, environ_ccname, NULL};
|
||||
+
|
||||
if ((retval = pty_open_slave(line, &t))) {
|
||||
fatal(f, error_message(retval));
|
||||
fatal(f, pty_error_message(retval));
|
||||
exit(1);
|
||||
@@ -819,11 +822,15 @@
|
||||
@@ -773,11 +776,15 @@ void doit(f, fromp)
|
||||
/* use the vendors login, which has -p and -f. Tested on
|
||||
* AIX 4.1.4 and HPUX 10
|
||||
*/
|
||||
@ -23,15 +25,14 @@ KRB5CCNAME, which we set ourselves.
|
||||
{
|
||||
char *cp;
|
||||
- if ((cp = strchr(term,'/')))
|
||||
- *cp = '\0';
|
||||
- setenv("TERM",term, 1);
|
||||
+ snprintf(environ_term, sizeof(environ_term) - 1, "TERM=%s", term);
|
||||
+ if ((cp = strchr(environ_term,'/')))
|
||||
+ *cp = '\0';
|
||||
*cp = '\0';
|
||||
- setenv("TERM",term, 1);
|
||||
}
|
||||
|
||||
retval = pty_make_sane_hostname((struct sockaddr *) fromp, maxhostlen,
|
||||
@@ -832,13 +839,13 @@
|
||||
@@ -786,13 +793,13 @@ void doit(f, fromp)
|
||||
if (retval)
|
||||
fatalperror(f, "failed make_sane_hostname");
|
||||
if (passwd_req)
|
@ -1,35 +0,0 @@
|
||||
Fall back to TCP on kdc-unresolvable/unreachable errors. We still have
|
||||
to wait for UDP to fail, so this might not be ideal. RT #5868.
|
||||
|
||||
Index: src/lib/krb5/os/changepw.c
|
||||
===================================================================
|
||||
--- src/lib/krb5/os/changepw.c (revision 20199)
|
||||
+++ src/lib/krb5/os/changepw.c (working copy)
|
||||
@@ -251,11 +251,22 @@
|
||||
NULL,
|
||||
NULL
|
||||
))) {
|
||||
-
|
||||
- /*
|
||||
- * Here we may want to switch to TCP on some errors.
|
||||
- * right?
|
||||
- */
|
||||
+ /* if we're not using a stream socket, and it's an error which
|
||||
+ * might reasonably be specific to a datagram "connection", try
|
||||
+ * again with a stream socket */
|
||||
+ if (!useTcp) {
|
||||
+ switch (code) {
|
||||
+ case KRB5_KDC_UNREACH:
|
||||
+ case KRB5_REALM_CANT_RESOLVE:
|
||||
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
|
||||
+ /* should we do this for more result codes than these? */
|
||||
+ krb5int_free_addrlist (&al);
|
||||
+ useTcp = 1;
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
break;
|
||||
}
|
||||
|
387
krb5.spec
387
krb5.spec
@ -12,14 +12,18 @@
|
||||
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.7.1
|
||||
Release: 6%{?dist}
|
||||
Version: 1.8
|
||||
Release: 1%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
Source1: krb5-%{version}.tar.gz.asc
|
||||
# Everything that needs a krb5-appl counterpart will have it with number + 100
|
||||
# until we get the package split done, else the telnet/ftp/rcmd stuff will just
|
||||
# "vanish".
|
||||
Source100: krb5-appl-%{appl_version}.tar.gz
|
||||
Source101: krb5-appl-%{appl_version}.tar.gz.asc
|
||||
Source2: kpropd.init
|
||||
Source3: krb5-appl-%{appl_version}.tar.gz
|
||||
Source4: kadmind.init
|
||||
Source5: krb5kdc.init
|
||||
Source6: krb5.conf
|
||||
@ -41,7 +45,8 @@ Source22: ekrb5-telnet.xinetd
|
||||
# and tarred up.
|
||||
Source23: krb5-%{version}-pdf.tar.gz
|
||||
Source24: krb5-tex-pdf.sh
|
||||
Source25: krb5-trunk-manpaths.txt
|
||||
Source25: krb5-1.8-manpaths.txt
|
||||
Source125: krb5-appl-1.0-manpaths.txt
|
||||
Source26: gssftp.pamd
|
||||
Source27: kshell.pamd
|
||||
Source28: ekshell.pamd
|
||||
@ -51,45 +56,43 @@ Source31: kerberos-adm.portreserve
|
||||
Source32: krb5_prop.portreserve
|
||||
|
||||
Patch3: krb5-1.3-netkit-rsh.patch
|
||||
Patch4: krb5-1.3-rlogind-environ.patch
|
||||
Patch5: krb5-1.3-ksu-access.patch
|
||||
Patch6: krb5-1.5-ksu-path.patch
|
||||
Patch4: krb5-appl-1.0-rlogind-environ.patch
|
||||
Patch5: krb5-1.8-ksu-access.patch
|
||||
Patch6: krb5-1.8-ksu-path.patch
|
||||
Patch11: krb5-1.2.1-passive.patch
|
||||
Patch12: krb5-1.7-ktany.patch
|
||||
Patch14: krb5-1.3-ftp-glob.patch
|
||||
Patch16: krb5-1.7-buildconf.patch
|
||||
Patch23: krb5-1.3.1-dns.patch
|
||||
Patch26: krb5-1.3.2-efence.patch
|
||||
Patch29: krb5-1.7-kprop-mktemp.patch
|
||||
Patch29: krb5-1.8-kprop-mktemp.patch
|
||||
Patch30: krb5-1.3.4-send-pr-tempfile.patch
|
||||
Patch33: krb5-1.7-io.patch
|
||||
Patch33: krb5-appl-1.0-io.patch
|
||||
Patch36: krb5-1.7-rcp-markus.patch
|
||||
Patch39: krb5-1.7-api.patch
|
||||
Patch39: krb5-1.8-api.patch
|
||||
Patch40: krb5-1.4.1-telnet-environ.patch
|
||||
Patch41: krb5-1.6.3-login-lpass.patch
|
||||
Patch53: krb5-1.7-nodeplibs.patch
|
||||
Patch55: krb5-1.6.1-empty.patch
|
||||
Patch56: krb5-1.7-doublelog.patch
|
||||
Patch57: krb5-1.6.2-login_chdir.patch
|
||||
Patch58: krb5-1.6.2-key_exp.patch
|
||||
Patch59: krb5-trunk-kpasswd_tcp.patch
|
||||
Patch60: krb5-1.7-pam.patch
|
||||
Patch61: krb5-trunk-manpaths.patch
|
||||
Patch63: krb5-1.7-selinux-label.patch
|
||||
Patch57: krb5-appl-1.0-login_chdir.patch
|
||||
Patch58: krb5-1.8-key_exp.patch
|
||||
Patch59: krb5-1.8-kpasswd_tcp.patch
|
||||
Patch60: krb5-1.8-pam.patch
|
||||
Patch160: krb5-appl-1.0-pam.patch
|
||||
Patch61: krb5-1.8-manpaths.patch
|
||||
Patch161: krb5-appl-1.0-manpaths.patch
|
||||
Patch63: krb5-1.8-selinux-label.patch
|
||||
Patch70: krb5-trunk-kpasswd_tcp2.patch
|
||||
Patch71: krb5-1.7-dirsrv-accountlock.patch
|
||||
Patch71: krb5-1.8-dirsrv-accountlock.patch
|
||||
Patch72: krb5-1.6.3-ftp_fdleak.patch
|
||||
Patch73: krb5-1.6.3-ftp_glob_runique.patch
|
||||
Patch79: krb5-trunk-ftp_mget_case.patch
|
||||
Patch86: krb5-1.7-time_t_size.patch
|
||||
Patch88: krb5-1.7-sizeof.patch
|
||||
Patch89: krb5-1.7-largefile.patch
|
||||
Patch90: krb5-1.7-openssl-1.0.patch
|
||||
Patch89: krb5-appl-1.0-largefile.patch
|
||||
Patch93: krb5-1.7-create_on_load.patch
|
||||
Patch95: krb5-1.7-opte.patch
|
||||
Patch96: krb5-1.7-exp_warn.patch
|
||||
Patch97: http://web.mit.edu/kerberos/advisories/2010-001-patch.txt
|
||||
Patch98: krb5-1.7.1-kpasswd_ccache.patch
|
||||
Patch95: krb5-1.8-opte.patch
|
||||
Patch96: krb5-1.8-exp_warn.patch
|
||||
Patch98: krb5-1.8-kpasswd_ccache.patch
|
||||
|
||||
License: MIT
|
||||
URL: http://web.mit.edu/kerberos/www/
|
||||
@ -207,8 +210,7 @@ Group: System Environment/Base
|
||||
Requires: %{name}-workstation = %{version}-%{release}
|
||||
Requires(post): initscripts
|
||||
Requires(postun): initscripts
|
||||
# mktemp is used by krb5-send-pr
|
||||
Requires: mktemp, xinetd, /etc/pam.d/%{login_pam_service}
|
||||
Requires: xinetd, /etc/pam.d/%{login_pam_service}
|
||||
|
||||
%description workstation-servers
|
||||
Kerberos is a network authentication system. The krb5-workstation-servers
|
||||
@ -228,50 +230,69 @@ to obtain initial credentials from a KDC using a private key and a
|
||||
certificate.
|
||||
|
||||
%prep
|
||||
%setup -q -a 3 -a 23
|
||||
ln -s README LICENSE
|
||||
pushd src
|
||||
%patch60 -p2 -b .pam
|
||||
%patch61 -p0 -b .manpaths
|
||||
%setup -q -a 23 -a 100
|
||||
ln -s NOTICE LICENSE
|
||||
|
||||
%patch60 -p1 -b .pam
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch160 -p1 -b .pam
|
||||
popd
|
||||
|
||||
%patch61 -p1 -b .manpaths
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch161 -p1 -b .manpaths
|
||||
popd
|
||||
|
||||
%patch63 -p1 -b .selinux-label
|
||||
%patch3 -p1 -b .netkit-rsh
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch3 -p3 -b .netkit-rsh
|
||||
%patch4 -p1 -b .rlogind-environ
|
||||
popd
|
||||
|
||||
%patch5 -p1 -b .ksu-access
|
||||
%patch6 -p1 -b .ksu-path
|
||||
%patch11 -p1 -b .passive
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch11 -p3 -b .passive
|
||||
popd
|
||||
%patch12 -p1 -b .ktany
|
||||
%patch14 -p1 -b .ftp-glob
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch14 -p3 -b .ftp-glob
|
||||
popd
|
||||
%patch16 -p1 -b .buildconf
|
||||
%patch23 -p1 -b .dns
|
||||
# Removes a malloc(0) case, nothing more.
|
||||
# %patch26 -p1 -b .efence
|
||||
%patch29 -p1 -b .kprop-mktemp
|
||||
%patch30 -p1 -b .send-pr-tempfile
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch33 -p1 -b .io
|
||||
%patch36 -p1 -b .rcp-markus
|
||||
%patch36 -p3 -b .rcp-markus
|
||||
popd
|
||||
%patch39 -p1 -b .api
|
||||
%patch40 -p1 -b .telnet-environ
|
||||
%patch41 -p1 -b .login-lpass
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch40 -p3 -b .telnet-environ
|
||||
popd
|
||||
%patch53 -p1 -b .nodeplibs
|
||||
#%patch55 -p1 -b .empty
|
||||
%patch56 -p1 -b .doublelog
|
||||
#%patch57 -p1 -b .login_chdir
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch57 -p1 -b .login_chdir
|
||||
popd
|
||||
%patch58 -p1 -b .key_exp
|
||||
%patch59 -p0 -b .kpasswd_tcp
|
||||
%patch59 -p1 -b .kpasswd_tcp
|
||||
#%patch70 -p0 -b .kpasswd_tcp2
|
||||
%patch71 -p1 -b .dirsrv-accountlock
|
||||
%patch72 -p1 -b .ftp_fdleak
|
||||
%patch73 -p1 -b .ftp_glob_runique
|
||||
%patch79 -p0 -b .ftp_mget_case
|
||||
%patch86 -p1 -b .time_t_size
|
||||
%patch88 -p1 -b .sizeof
|
||||
pushd krb5-appl-%{appl_version}
|
||||
%patch72 -p3 -b .ftp_fdleak
|
||||
%patch73 -p3 -b .ftp_glob_runique
|
||||
%patch79 -p2 -b .ftp_mget_case
|
||||
%patch88 -p3 -b .sizeof
|
||||
%patch89 -p1 -b .largefile
|
||||
%patch90 -p0 -b .openssl-1.0
|
||||
%patch93 -p1 -b .create_on_load
|
||||
popd
|
||||
# Shouldn't be necessary in 1.8.
|
||||
##%patch93 -p1 -b .create_on_load
|
||||
%patch95 -p1 -b .opte
|
||||
%patch96 -p1 -b .exp_warn
|
||||
%patch97 -p1 -b .2010-001
|
||||
%patch98 -p1 -b .kpasswd-ccache
|
||||
gzip doc/*.ps
|
||||
|
||||
@ -284,7 +305,7 @@ sed -i -e '1c\
|
||||
\\usepackage{hyperref}' doc/implement/implement.tex
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/*.html
|
||||
chmod -x doc/krb5-protocol/*.txt doc/*.html doc/*/*.html
|
||||
|
||||
# Rename the man pages so that they'll get generated correctly. Uses the
|
||||
# "krb5-trunk-manpaths.txt" source file.
|
||||
@ -293,6 +314,11 @@ cat %{SOURCE25} | while read manpage ; do
|
||||
mv "$manpage" "$manpage".in
|
||||
done
|
||||
popd
|
||||
pushd krb5-appl-%{appl_version}
|
||||
cat %{SOURCE125} | while read manpage ; do
|
||||
mv "$manpage" "$manpage".in
|
||||
done
|
||||
popd
|
||||
|
||||
# Check that the PDFs we built earlier match this source tree, using the
|
||||
# "krb5-tex-pdf.sh" source file.
|
||||
@ -315,20 +341,21 @@ egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif
|
||||
touch -r $inldif 60kerberos.ldif
|
||||
|
||||
# Rebuild the configure scripts.
|
||||
cd src
|
||||
top=`pwd`
|
||||
for configurein in `find -name configure.in -type f` ; do
|
||||
pushd `dirname $configurein`
|
||||
grep -q A._CONFIG_HEADER configure.in && autoheader -I "$top"
|
||||
autoconf -I "$top"
|
||||
pushd src
|
||||
autoheader
|
||||
autoconf
|
||||
popd
|
||||
|
||||
pushd krb5-appl-%{appl_version}
|
||||
autoheader
|
||||
autoconf
|
||||
popd
|
||||
done
|
||||
|
||||
%build
|
||||
cd src
|
||||
INCLUDES=-I%{_includedir}/et
|
||||
# Work out the CFLAGS and CPPFLAGS which we intend to use.
|
||||
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing`"
|
||||
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC`"
|
||||
CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
||||
%configure \
|
||||
CC="%{__cc}" \
|
||||
@ -340,10 +367,6 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
||||
SS_LIB="-lss -lncurses" \
|
||||
%endif
|
||||
--enable-shared \
|
||||
--bindir=%{krb5prefix}/bin \
|
||||
--mandir=%{krb5prefix}/man \
|
||||
--sbindir=%{krb5prefix}/sbin \
|
||||
--datadir=%{krb5prefix}/share \
|
||||
--localstatedir=%{_var}/kerberos \
|
||||
--disable-rpath \
|
||||
--with-system-et \
|
||||
@ -364,11 +387,28 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
||||
--disable-pkinit \
|
||||
%endif
|
||||
--with-pam \
|
||||
--with-pam-login-service=%{login_pam_service} \
|
||||
--with-selinux
|
||||
# Now build it.
|
||||
make %{?_smp_mflags}
|
||||
|
||||
# The applications, too. Build everything position-independent. We only get
|
||||
# away with this if our build dependencies drag an older krb5-devel onto the
|
||||
# system.
|
||||
pushd ../krb5-appl-%{appl_version}
|
||||
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIE -fno-strict-aliasing`"
|
||||
LDFLAGS="-pie"
|
||||
%configure \
|
||||
CFLAGS="$CFLAGS" \
|
||||
LDFLAGS="$LDFLAGS" \
|
||||
--bindir=%{krb5prefix}/bin \
|
||||
--mandir=%{krb5prefix}/man \
|
||||
--sbindir=%{krb5prefix}/sbin \
|
||||
--datadir=%{krb5prefix}/share \
|
||||
--with-pam \
|
||||
--with-pam-login-service=%{login_pam_service}
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
# Run the test suite. We can't actually do this in the build system.
|
||||
: make check TMPDIR=%{_tmppath}
|
||||
|
||||
@ -399,7 +439,7 @@ install -pm 644 %{SOURCE6} $RPM_BUILD_ROOT/etc/krb5.conf
|
||||
|
||||
# Login-time scriptlets (krb5.sh, krb5.csh) to fix the PATH variable.
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/profile.d
|
||||
for subpackage in devel workstation ; do
|
||||
for subpackage in workstation-clients workstation-servers ; do
|
||||
install -pm 644 %{SOURCE7} \
|
||||
$RPM_BUILD_ROOT/etc/profile.d/krb5-$subpackage.sh
|
||||
install -pm 644 %{SOURCE8} \
|
||||
@ -467,12 +507,13 @@ install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/kdb
|
||||
install -pdm 755 $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/authdata
|
||||
|
||||
# The rest of the binaries, headers, libraries, and docs.
|
||||
make -C src DESTDIR=$RPM_BUILD_ROOT install
|
||||
make -C src DESTDIR=$RPM_BUILD_ROOT EXAMPLEDIR=%{_docdir}/krb5-libs-%{version}/examples install
|
||||
make -C krb5-appl-%{appl_version} DESTDIR=$RPM_BUILD_ROOT install
|
||||
|
||||
# Munge krb5-config yet again. This is totally wrong for 64-bit, but chunks
|
||||
# of the buildconf patch already conspire to strip out /usr/<anything> from the
|
||||
# list of link flags, and it helps prevent file conflicts on multilib systems.
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{krb5prefix}/bin/krb5-config
|
||||
sed -r -i -e 's|^libdir=/usr/lib(64)?$|libdir=/usr/lib|g' $RPM_BUILD_ROOT%{_bindir}/krb5-config
|
||||
|
||||
# Move specific libraries from %{_libdir} to /%{_lib}, and fixup the symlinks.
|
||||
touch $RPM_BUILD_ROOT/rootfile
|
||||
@ -489,13 +530,6 @@ for library in libgssapi_krb5 libgssrpc libk5crypto libkrb5 libkrb5support ; do
|
||||
popd
|
||||
done
|
||||
|
||||
# Move man pages which will be in the -libs subpackage into %%{_mandir}'s tree.
|
||||
for man in man1/tmac.doc man1/kerberos.1 man5/.k5login.5 man5/krb5.conf.5 ; do
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/${man%%/*}
|
||||
mv $RPM_BUILD_ROOT/%{krb5prefix}/man/${man} \
|
||||
$RPM_BUILD_ROOT/%{_mandir}/${man%%/*}/
|
||||
done
|
||||
|
||||
%clean
|
||||
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
@ -574,62 +608,56 @@ fi
|
||||
exit 0
|
||||
|
||||
%files workstation
|
||||
%defattr(-,root,root)
|
||||
%docdir %{krb5prefix}/man
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation.sh
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation.csh
|
||||
%defattr(-,root,root,-)
|
||||
%doc doc/user*.ps.gz src/config-files/services.append
|
||||
%doc doc/{kdestroy,kinit,klist,kpasswd,ksu}.html
|
||||
%doc doc/krb5-user.html
|
||||
%attr(0755,root,root) %doc src/config-files/convert-config-files
|
||||
%{_infodir}/krb5-user.info*
|
||||
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/bin
|
||||
%dir %{krb5prefix}/man
|
||||
%dir %{krb5prefix}/man/man1
|
||||
%dir %{krb5prefix}/man/man8
|
||||
%dir %{krb5prefix}/sbin
|
||||
|
||||
# Clients of the KDC, including tools you're likely to need if you're running
|
||||
# app servers other than those built from this source package.
|
||||
%{krb5prefix}/bin/kdestroy
|
||||
%{krb5prefix}/man/man1/kdestroy.1*
|
||||
%{krb5prefix}/bin/kinit
|
||||
%{krb5prefix}/man/man1/kinit.1*
|
||||
%{krb5prefix}/bin/klist
|
||||
%{krb5prefix}/man/man1/klist.1*
|
||||
%{krb5prefix}/bin/kpasswd
|
||||
%{krb5prefix}/man/man1/kpasswd.1*
|
||||
%{_bindir}/kdestroy
|
||||
%{_mandir}/man1/kdestroy.1*
|
||||
%{_bindir}/kinit
|
||||
%{_mandir}/man1/kinit.1*
|
||||
%{_bindir}/klist
|
||||
%{_mandir}/man1/klist.1*
|
||||
%{_bindir}/kpasswd
|
||||
%{_mandir}/man1/kpasswd.1*
|
||||
|
||||
%{krb5prefix}/bin/kvno
|
||||
%{krb5prefix}/man/man1/kvno.1*
|
||||
%{krb5prefix}/bin/kadmin
|
||||
%{krb5prefix}/man/man1/kadmin.1*
|
||||
%{krb5prefix}/bin/k5srvutil
|
||||
%{krb5prefix}/man/man1/k5srvutil.1*
|
||||
%{krb5prefix}/bin/ktutil
|
||||
%{krb5prefix}/man/man1/ktutil.1*
|
||||
%{_bindir}/kvno
|
||||
%{_mandir}/man1/kvno.1*
|
||||
%{_bindir}/kadmin
|
||||
%{_mandir}/man1/kadmin.1*
|
||||
%{_bindir}/k5srvutil
|
||||
%{_mandir}/man1/k5srvutil.1*
|
||||
%{_bindir}/ktutil
|
||||
%{_mandir}/man1/ktutil.1*
|
||||
|
||||
# Doesn't really fit anywhere else.
|
||||
%attr(4755,root,root) %{krb5prefix}/bin/ksu
|
||||
%{krb5prefix}/man/man1/ksu.1*
|
||||
%attr(4755,root,root) %{_bindir}/ksu
|
||||
%{_mandir}/man1/ksu.1*
|
||||
%config(noreplace) /etc/pam.d/ksu
|
||||
|
||||
# Problem-reporting tool.
|
||||
%{krb5prefix}/sbin/krb5-send-pr
|
||||
%{krb5prefix}/man/man1/krb5-send-pr.1*
|
||||
%{_sbindir}/krb5-send-pr
|
||||
%dir %{_datadir}/gnats
|
||||
%{_datadir}/gnats/mit
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
|
||||
%files workstation-clients
|
||||
%defattr(-,root,root)
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{krb5prefix}/man
|
||||
%doc doc/{ftp,rcp,rlogin,rsh,telnet}.html
|
||||
%attr(0755,root,root) %doc src/config-files/convert-config-files
|
||||
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation-clients.sh
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation-clients.csh
|
||||
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/bin
|
||||
%dir %{krb5prefix}/man
|
||||
%dir %{krb5prefix}/man/man1
|
||||
%dir %{krb5prefix}/sbin
|
||||
|
||||
# Used by both clients and servers.
|
||||
%{krb5prefix}/bin/rcp
|
||||
@ -646,11 +674,15 @@ exit 0
|
||||
%{krb5prefix}/man/man1/rsh.1*
|
||||
%{krb5prefix}/bin/telnet
|
||||
%{krb5prefix}/man/man1/telnet.1*
|
||||
%{krb5prefix}/man/man1/tmac.doc*
|
||||
|
||||
%files workstation-servers
|
||||
%defattr(-,root,root)
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{krb5prefix}/man
|
||||
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation-servers.sh
|
||||
%config(noreplace) /etc/profile.d/krb5-workstation-servers.csh
|
||||
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/bin
|
||||
%dir %{krb5prefix}/man
|
||||
@ -658,10 +690,6 @@ exit 0
|
||||
%dir %{krb5prefix}/man/man8
|
||||
%dir %{krb5prefix}/sbin
|
||||
|
||||
# Problem-reporting tool.
|
||||
%{krb5prefix}/sbin/krb5-send-pr
|
||||
%{krb5prefix}/man/man1/krb5-send-pr.1*
|
||||
|
||||
# Used by both clients and servers.
|
||||
%{krb5prefix}/bin/rcp
|
||||
%{krb5prefix}/man/man1/rcp.1*
|
||||
@ -686,8 +714,8 @@ exit 0
|
||||
%{krb5prefix}/man/man8/telnetd.8*
|
||||
|
||||
%files server
|
||||
%defattr(-,root,root)
|
||||
%docdir %{krb5prefix}/man
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{_mandir}
|
||||
|
||||
/etc/rc.d/init.d/krb5kdc
|
||||
/etc/rc.d/init.d/kadmin
|
||||
@ -700,6 +728,8 @@ exit 0
|
||||
|
||||
%doc doc/admin*.ps.gz
|
||||
%doc doc/install*.ps.gz
|
||||
%doc doc/krb5-admin.html
|
||||
%doc doc/krb5-install.html
|
||||
|
||||
%{_infodir}/krb5-admin.info*
|
||||
%{_infodir}/krb5-install.info*
|
||||
@ -709,82 +739,72 @@ exit 0
|
||||
%config(noreplace) %{_var}/kerberos/krb5kdc/kdc.conf
|
||||
%config(noreplace) %{_var}/kerberos/krb5kdc/kadm5.acl
|
||||
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/bin
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
%dir %{_libdir}/krb5/plugins/authdata
|
||||
%dir %{krb5prefix}/man
|
||||
%dir %{krb5prefix}/man/man1
|
||||
%dir %{krb5prefix}/man/man5
|
||||
%dir %{krb5prefix}/man/man8
|
||||
%dir %{krb5prefix}/sbin
|
||||
|
||||
# Problem-reporting tool.
|
||||
%{krb5prefix}/sbin/krb5-send-pr
|
||||
%{krb5prefix}/man/man1/krb5-send-pr.1*
|
||||
%{_sbindir}/krb5-send-pr
|
||||
%dir %{_datadir}/gnats
|
||||
%{_datadir}/gnats/mit
|
||||
%{_mandir}/man1/krb5-send-pr.1*
|
||||
|
||||
# KDC binaries.
|
||||
%{krb5prefix}/man/man5/kdc.conf.5*
|
||||
%{krb5prefix}/sbin/kadmin.local
|
||||
%{krb5prefix}/man/man8/kadmin.local.8*
|
||||
%{krb5prefix}/sbin/kadmind
|
||||
%{krb5prefix}/man/man8/kadmind.8*
|
||||
%{krb5prefix}/sbin/kdb5_util
|
||||
%{krb5prefix}/man/man8/kdb5_util.8*
|
||||
%{krb5prefix}/sbin/kprop
|
||||
%{krb5prefix}/man/man8/kprop.8*
|
||||
%{krb5prefix}/sbin/kpropd
|
||||
%{krb5prefix}/man/man8/kpropd.8*
|
||||
%{krb5prefix}/sbin/kproplog
|
||||
%{krb5prefix}/man/man8/kproplog.8*
|
||||
%{krb5prefix}/sbin/krb5kdc
|
||||
%{krb5prefix}/man/man8/krb5kdc.8*
|
||||
# KDC binaries and configuration.
|
||||
%{_mandir}/man5/kdc.conf.5*
|
||||
%{_sbindir}/kadmin.local
|
||||
%{_mandir}/man8/kadmin.local.8*
|
||||
%{_sbindir}/kadmind
|
||||
%{_mandir}/man8/kadmind.8*
|
||||
%{_sbindir}/kdb5_util
|
||||
%{_mandir}/man8/kdb5_util.8*
|
||||
%{_sbindir}/kprop
|
||||
%{_mandir}/man8/kprop.8*
|
||||
%{_sbindir}/kpropd
|
||||
%{_mandir}/man8/kpropd.8*
|
||||
%{_sbindir}/kproplog
|
||||
%{_mandir}/man8/kproplog.8*
|
||||
%{_sbindir}/krb5kdc
|
||||
%{_mandir}/man8/krb5kdc.8*
|
||||
|
||||
# This is here for people who want to test their server, and also
|
||||
# included in devel package for similar reasons.
|
||||
%{krb5prefix}/bin/sclient
|
||||
%{krb5prefix}/man/man1/sclient.1*
|
||||
%{krb5prefix}/sbin/sserver
|
||||
%{krb5prefix}/man/man8/sserver.8*
|
||||
%{_bindir}/sclient
|
||||
%{_mandir}/man1/sclient.1*
|
||||
%{_sbindir}/sserver
|
||||
%{_mandir}/man8/sserver.8*
|
||||
|
||||
%if %{WITH_LDAP}
|
||||
%files server-ldap
|
||||
%defattr(-,root,root)
|
||||
%docdir %{krb5prefix}/man
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{_mandir}
|
||||
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif
|
||||
%doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
|
||||
%doc 60kerberos.ldif
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/kdb
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/man
|
||||
%dir %{krb5prefix}/man/man8
|
||||
%dir %{krb5prefix}/sbin
|
||||
%{_libdir}/krb5/plugins/kdb/kldap.so
|
||||
%{_libdir}/libkdb_ldap.so
|
||||
%{_libdir}/libkdb_ldap.so.*
|
||||
%{krb5prefix}/man/man8/kdb5_ldap_util.8.gz
|
||||
%{krb5prefix}/sbin/kdb5_ldap_util
|
||||
%{_mandir}/man8/kdb5_ldap_util.8.gz
|
||||
%{_sbindir}/kdb5_ldap_util
|
||||
%endif
|
||||
|
||||
%files libs
|
||||
%defattr(-,root,root)
|
||||
%doc README LICENSE
|
||||
%docdir %{krb5prefix}/man
|
||||
%defattr(-,root,root,-)
|
||||
%doc README NOTICE LICENSE
|
||||
%docdir %{_mandir}
|
||||
%verify(not md5 size mtime) %config(noreplace) /etc/krb5.conf
|
||||
/%{_mandir}/man1/tmac.doc*
|
||||
/%{_mandir}/man1/kerberos.1*
|
||||
/%{_mandir}/man5/.k5login.5*
|
||||
/%{_mandir}/man5/krb5.conf.5*
|
||||
/%{_lib}/libgssapi_krb5.so.*
|
||||
/%{_lib}/libgssrpc.so.*
|
||||
/%{_lib}/libk5crypto.so.*
|
||||
%{_libdir}/libkadm5clnt.so.*
|
||||
%{_libdir}/libkadm5srv.so.*
|
||||
%{_libdir}/libkadm5clnt_mit.so.*
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
%{_libdir}/libkdb5.so.*
|
||||
/%{_lib}/libkrb5.so.*
|
||||
/%{_lib}/libkrb5support.so.*
|
||||
@ -797,7 +817,7 @@ exit 0
|
||||
|
||||
%if %{WITH_OPENSSL}
|
||||
%files pkinit-openssl
|
||||
%defattr(-,root,root)
|
||||
%defattr(-,root,root,-)
|
||||
%dir %{_libdir}/krb5
|
||||
%dir %{_libdir}/krb5/plugins
|
||||
%dir %{_libdir}/krb5/plugins/preauth
|
||||
@ -805,55 +825,58 @@ exit 0
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%defattr(-,root,root)
|
||||
|
||||
%config(noreplace) /etc/profile.d/krb5-devel.sh
|
||||
%config(noreplace) /etc/profile.d/krb5-devel.csh
|
||||
|
||||
%docdir %{krb5prefix}/man
|
||||
%defattr(-,root,root,-)
|
||||
%docdir %{_mandir}
|
||||
%doc doc/api/*.pdf
|
||||
%doc doc/ccapi
|
||||
%doc doc/implement/*.pdf
|
||||
%doc doc/kadm5/*.pdf
|
||||
%doc doc/kadmin
|
||||
%doc doc/kim
|
||||
%doc doc/krb5-protocol
|
||||
%doc doc/rpc
|
||||
%doc doc/threads.txt
|
||||
|
||||
%dir %{krb5prefix}
|
||||
%dir %{krb5prefix}/bin
|
||||
%dir %{krb5prefix}/man
|
||||
%dir %{krb5prefix}/man/man1
|
||||
%dir %{krb5prefix}/man/man8
|
||||
%dir %{krb5prefix}/sbin
|
||||
|
||||
%{_includedir}/*
|
||||
%{_libdir}/libgssapi_krb5.so
|
||||
%{_libdir}/libgssrpc.so
|
||||
%{_libdir}/libk5crypto.so
|
||||
%{_libdir}/libkadm5clnt.so
|
||||
%{_libdir}/libkadm5clnt_mit.so
|
||||
%{_libdir}/libkadm5srv.so
|
||||
%{_libdir}/libkadm5srv_mit.so
|
||||
%{_libdir}/libkdb5.so
|
||||
%{_libdir}/libkrb5.so
|
||||
%{_libdir}/libkrb5support.so
|
||||
|
||||
%{krb5prefix}/bin/krb5-config
|
||||
%{krb5prefix}/bin/sclient
|
||||
%{krb5prefix}/man/man1/krb5-config.1*
|
||||
%{krb5prefix}/man/man1/sclient.1*
|
||||
%{krb5prefix}/man/man8/sserver.8*
|
||||
%{krb5prefix}/sbin/sserver
|
||||
%{_bindir}/krb5-config
|
||||
%{_bindir}/sclient
|
||||
%{_mandir}/man1/krb5-config.1*
|
||||
%{_mandir}/man1/sclient.1*
|
||||
%{_mandir}/man8/sserver.8*
|
||||
%{_sbindir}/sserver
|
||||
|
||||
# Protocol test clients.
|
||||
%{krb5prefix}/bin/sim_client
|
||||
%{krb5prefix}/bin/gss-client
|
||||
%{krb5prefix}/bin/uuclient
|
||||
%{_bindir}/sim_client
|
||||
%{_bindir}/gss-client
|
||||
%{_bindir}/uuclient
|
||||
|
||||
# Protocol test servers.
|
||||
%{krb5prefix}/sbin/sim_server
|
||||
%{krb5prefix}/sbin/gss-server
|
||||
%{krb5prefix}/sbin/uuserver
|
||||
%{_sbindir}/sim_server
|
||||
%{_sbindir}/gss-server
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Fri Mar 5 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.8-1
|
||||
- update to 1.8
|
||||
- temporarily bundling the krb5-appl package (split upstream as of 1.8)
|
||||
until its package review is complete
|
||||
- profile.d scriptlets are now only needed by -workstation-clients
|
||||
- adjust paths in init scripts
|
||||
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
|
||||
- drop patch to check the user's password correctly using crypt(), which
|
||||
isn't a code path we hit when we're using PAM
|
||||
|
||||
* Wed Mar 3 2010 Nalin Dahyabhai <nalin@redhat.com> - 1.7.1-6
|
||||
- fix a null pointer dereference and crash introduced in our PAM patch that
|
||||
would happen if ftpd was given the name of a user who wasn't known to the
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
RETVAL=0
|
||||
prog="Kerberos 5 KDC"
|
||||
krb5kdc=/usr/kerberos/sbin/krb5kdc
|
||||
krb5kdc=/usr/sbin/krb5kdc
|
||||
|
||||
# Shell functions to cut down on useless shell instances.
|
||||
start() {
|
||||
|
8
sources
8
sources
@ -1,3 +1,5 @@
|
||||
9d79efba57423008e65efc5ff75405d6 krb5-1.7.1.tar.gz
|
||||
2197cc65ed90f00f92e5a27bd514b53b krb5-1.7.1.tar.gz.asc
|
||||
309139729539cf5ef403bb0dc7ae455b krb5-1.7.1-pdf.tar.gz
|
||||
a3391a739009efa9734db720d34f4c07 krb5-1.8.tar.gz
|
||||
f923ec08f24df9e5a284be74895a6daa krb5-1.8.tar.gz.asc
|
||||
4ecf03dad0df7f2ded49f0cfd9786157 krb5-appl-1.0.tar.gz
|
||||
33056e617e2cbad7c8e8b732aa0fdd91 krb5-appl-1.0.tar.gz.asc
|
||||
32f8238d4553c44ecdc41205c3cb0333 krb5-1.8-pdf.tar.gz
|
||||
|
Loading…
Reference in New Issue
Block a user